https://github.com/assistant-ui/assistant-ui ·
lang: typescript ·
LOC: ·
source: corpus_mined
| Rule | Severity | Count |
|---|---|---|
MINED108 self.attribute used but never assigned in __init__ |
high | 25 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 25 |
AIC003 Duplicated implementation block across source files |
low | 17 |
JRN003 Frontend API reference is not matched by discovered backend… |
medium | 15 |
AUC009 [AUC009] Sensitive function route lacks elevated authorizat… |
medium | 10 |
MINED112 FastAPI POST/PUT/DELETE/PATCH endpoint without auth |
high | 9 |
MINED111 Bare except continues silently |
medium | 9 |
MINED106 Phantom test coverage (assertion-free test) |
high | 5 |
ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. |
medium | 4 |
SEC135 Auth/permission check missing on AI-generated endpoint |
high | 4 |
AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
apps/docs/app/(home)/blog/llms.md/[slug]/route.ts:13
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…MINED027
React State Array Mutation
CWE-682
packages/assistant-stream/src/resumable/stores/InMemoryResumableStreamStore.ts:90
· conf 1.00
[MINED027] React State Array Mutation: state.X.push/splice/sort followed by setState — React skips re-render on mutated reference.MINED034
Python Subprocess Shell True
CWE-78
python/assistant-transport-backend/setup.py:31
· conf 1.00
[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection.MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/assistant-transport-backend-langgraph/test_client.py:10
· conf 1.00
[MINED106] Phantom test coverage: test_chat: Test function `test_chat` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifyin…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/assistant-transport-backend-langgraph/test_client.py:74
· conf 1.00
[MINED106] Phantom test coverage: test_health: Test function `test_health` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without veri…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/assistant-transport-backend-langgraph/test_subgraph.py:10
· conf 1.00
[MINED106] Phantom test coverage: test_subgraph_chat: Test function `test_subgraph_chat` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverag…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/assistant-transport-backend-langgraph/test_subgraph.py:120
· conf 1.00
[MINED106] Phantom test coverage: test_direct_tool_result: Test function `test_direct_tool_result` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds li…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/assistant-ui-sync-server-api/tests/test_client.py:87
· conf 1.00
[MINED106] Phantom test coverage: test_cancel: Test function `test_cancel` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without veri…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/assistant-stream/tests/test_langgraph.py:27
· conf 1.00
[MINED108] `self.assertIn` used but never assigned in __init__: Method `test_append_message_to_empty_state` of class `TestLangGraphIntegration` reads `self.assertIn`, but no assignment to it exists i…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/assistant-stream/tests/test_langgraph.py:28
· conf 1.00
[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_append_message_to_empty_state` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it ex…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/assistant-stream/tests/test_langgraph.py:29
· conf 1.00
[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_append_message_to_empty_state` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it ex…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/assistant-stream/tests/test_langgraph.py:30
· conf 1.00
[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_append_message_to_empty_state` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it ex…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/assistant-stream/tests/test_langgraph.py:31
· conf 1.00
[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_append_message_to_empty_state` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it ex…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/assistant-stream/tests/test_langgraph.py:42
· conf 1.00
[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_append_message_list` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it exists in __…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/assistant-stream/tests/test_langgraph.py:43
· conf 1.00
[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_append_message_list` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it exists in __…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/assistant-stream/tests/test_langgraph.py:44
· conf 1.00
[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_append_message_list` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it exists in __…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/assistant-stream/tests/test_langgraph.py:57
· conf 1.00
[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_merge_ai_message_chunk` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it exists in…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/assistant-stream/tests/test_langgraph.py:58
· conf 1.00
[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_merge_ai_message_chunk` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it exists in…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/assistant-stream/tests/test_langgraph.py:59
· conf 1.00
[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_merge_ai_message_chunk` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it exists in…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/assistant-stream/tests/test_langgraph.py:72
· conf 1.00
[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_replace_non_ai_message` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it exists in…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/assistant-stream/tests/test_langgraph.py:73
· conf 1.00
[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_replace_non_ai_message` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it exists in…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/assistant-stream/tests/test_langgraph.py:91
· conf 1.00
[MINED108] `self.assertIn` used but never assigned in __init__: Method `test_updates_event` of class `TestLangGraphIntegration` reads `self.assertIn`, but no assignment to it exists in __init__ (and …MINED108
self.attribute used but never assigned in __init__
CWE-476
python/assistant-stream/tests/test_langgraph.py:92
· conf 1.00
[MINED108] `self.assertIn` used but never assigned in __init__: Method `test_updates_event` of class `TestLangGraphIntegration` reads `self.assertIn`, but no assignment to it exists in __init__ (and …MINED108
self.attribute used but never assigned in __init__
CWE-476
python/assistant-stream/tests/test_langgraph.py:93
· conf 1.00
[MINED108] `self.assertIn` used but never assigned in __init__: Method `test_updates_event` of class `TestLangGraphIntegration` reads `self.assertIn`, but no assignment to it exists in __init__ (and …MINED108
self.attribute used but never assigned in __init__
CWE-476
python/assistant-stream/tests/test_langgraph.py:94
· conf 1.00
[MINED108] `self.assertIn` used but never assigned in __init__: Method `test_updates_event` of class `TestLangGraphIntegration` reads `self.assertIn`, but no assignment to it exists in __init__ (and …MINED108
self.attribute used but never assigned in __init__
CWE-476
python/assistant-stream/tests/test_langgraph.py:95
· conf 1.00
[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_updates_event` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it exists in __init__…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/assistant-stream/tests/test_langgraph.py:96
· conf 1.00
[MINED108] `self.assertEqual` used but never assigned in __init__: Method `test_updates_event` of class `TestLangGraphIntegration` reads `self.assertEqual`, but no assignment to it exists in __init__…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/assistant-ui-sync-server-api/src/assistant_ui/client.py:388
· conf 1.00
[MINED108] `self._ensure_async_client` used but never assigned in __init__: Method `_make_request` of class `AssistantClient` reads `self._ensure_async_client`, but no assignment to it exists in __in…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/assistant-ui-sync-server-api/src/assistant_ui/client.py:389
· conf 1.00
[MINED108] `self._get_headers` used but never assigned in __init__: Method `_make_request` of class `AssistantClient` reads `self._get_headers`, but no assignment to it exists in __init__ (and no cla…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/assistant-ui-sync-server-api/src/assistant_ui/client.py:410
· conf 1.00
[MINED108] `self._ensure_sync_client` used but never assigned in __init__: Method `_make_request_sync` of class `AssistantClient` reads `self._ensure_sync_client`, but no assignment to it exists in _…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/assistant-ui-sync-server-api/src/assistant_ui/client.py:411
· conf 1.00
[MINED108] `self._get_headers_sync` used but never assigned in __init__: Method `_make_request_sync` of class `AssistantClient` reads `self._get_headers_sync`, but no assignment to it exists in __ini…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/assistant-ui-sync-server-api/src/assistant_ui/client.py:443
· conf 1.00
[MINED108] `self.close` used but never assigned in __init__: Method `__aexit__` of class `AssistantClient` reads `self.close`, but no assignment to it exists in __init__ (and no class-level fallback)…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/assistant-ui-sync-server-api/src/assistant_ui/client.py:451
· conf 1.00
[MINED108] `self.close_sync` used but never assigned in __init__: Method `__exit__` of class `AssistantClient` reads `self.close_sync`, but no assignment to it exists in __init__ (and no class-level …MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
examples/with-ag-ui/server/agent.py:126
· conf 0.80
[MINED112] FastAPI POST /agent has no auth: Handler `agent_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function b…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
python/assistant-stream-hello-world/api/chat/completions/index.py:14
· conf 0.80
[MINED112] FastAPI POST /api/chat/completions has no auth: Handler `chat_completions` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears …MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
python/assistant-transport-backend-langgraph/main.py:302
· conf 0.80
[MINED112] FastAPI POST /assistant has no auth: Handler `chat_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the functio…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
python/assistant-transport-backend/main.py:93
· conf 0.80
[MINED112] FastAPI POST /assistant has no auth: Handler `assistant_endpoint` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the fu…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
python/state-test/server.py:19
· conf 0.80
[MINED112] FastAPI POST /simple-test has no auth: Handler `simple_test` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the functio…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
python/state-test/server.py:51
· conf 0.80
[MINED112] FastAPI POST /complex-test has no auth: Handler `complex_test` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the funct…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
python/state-test/server.py:100
· conf 0.80
[MINED112] FastAPI POST /string-test has no auth: Handler `string_test` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the functio…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
python/state-test/server.py:127
· conf 0.80
[MINED112] FastAPI POST /list-test has no auth: Handler `list_test` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function bo…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
python/state-test/server.py:161
· conf 0.80
[MINED112] FastAPI POST /dict-test has no auth: Handler `dict_test` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function bo…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
examples/with-mcp/server/server.ts:226
· conf 0.80
[MINED113] Express POST /mcp has no auth: Express route POST /mcp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are O…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/claude-code-review.yml:109
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/claude-code-review.yml:115
· conf 0.90
[MINED115] Action `anthropics/claude-code-action` pinned to mutable ref `@v1`: `uses: anthropics/claude-code-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/claude.yml:31
· conf 0.90
[MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that mad…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/claude.yml:63
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/claude.yml:69
· conf 0.90
[MINED115] Action `anthropics/claude-code-action` pinned to mutable ref `@v1`: `uses: anthropics/claude-code-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/code-quality.yaml:39
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/code-quality.yaml:44
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/code-quality.yaml:47
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/code-quality.yaml:64
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/code-quality.yaml:80
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/code-quality.yaml:85
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/code-quality.yaml:88
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/code-quality.yaml:94
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/devtools-frame.yaml:25
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/devtools-frame.yaml:30
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/devtools-frame.yaml:33
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/devtools-frame.yaml:39
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/expo.yaml:28
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/expo.yaml:33
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/expo.yaml:36
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/expo.yaml:42
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/registry.yaml:25
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/registry.yaml:30
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/registry.yaml:33
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/registry.yaml:39
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
apps/docs/app/layout.tsx:14
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
apps/docs/app/not-found.tsx:23
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
apps/docs/app/tw-glass/(home)/pattern-picker.tsx:6
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC040
innerHTML XSS — template literal with server-supplied data
apps/docs/app/tw-glass/(home)/doc-components.tsx:61
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
apps/docs/components/careers/apply-form.tsx:31
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
apps/docs/components/docs/fumadocs/install/install-command.tsx:60
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…AGT007
localStorage write failures are swallowed silently
apps/docs/components/docs/platform/context.tsx:195
· conf 0.80
localStorage write failures are swallowed silentlyAGT007
localStorage write failures are swallowed silently
apps/docs/hooks/use-persistent-boolean.ts:62
· conf 0.80
localStorage write failures are swallowed silentlyAUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.AUC002
[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
[AUC002] Low visible authorization coverage in route inventory: Only 6.7% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
apps/docs/app/api/chat/route.ts:39
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
apps/docs/app/api/doc/chat/route.ts:296
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
apps/docs/app/api/playground-chat/route.ts:137
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
apps/docs/app/(home)/blog/llms.md/[slug]/route.ts:13
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
apps/docs/app/(home)/llms-full.txt/route.ts:7
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
apps/docs/app/(home)/llms.mdx/[[...slug]]/route.ts:8
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
apps/docs/app/(home)/llms.txt/route.ts:6
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
apps/registry/app/api/chat/route.ts:10
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
templates/default/app/api/chat/route.ts:10
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
templates/minimal/app/api/chat/route.ts:10
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
examples/with-ag-ui/server/agent.py:43
· conf 0.95
[COMP001] High cognitive complexity: Function `echo_agent` has cognitive complexity 21 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested b…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
python/assistant-stream/src/assistant_stream/create_run.py:192
· conf 0.95
[COMP001] High cognitive complexity: Function `create_run` has cognitive complexity 24 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested b…ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
packages/assistant-stream/src/resumable/ResumableStreamContext.ts:184
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
packages/cloud-ai-sdk/src/core/CloudChatCore.ts:107
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
packages/cloud-ai-sdk/src/core/CloudTelemetryReporter.ts:81
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.JRN003
Frontend API reference is not matched by discovered backend routes
apps/docs/app/layout.tsx:45
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
apps/docs/app/layout.tsx:57
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
apps/docs/app/robots.ts:8
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
apps/docs/components/builder/builder-chat-sidebar.tsx:116
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
apps/docs/components/home/star-pill.tsx:13
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
apps/docs/contexts/AssistantRuntimeProvider.tsx:169
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
apps/registry/app/ai-sdk/assistant.tsx:15
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
packages/react-google-adk/src/AdkClient.ts:11
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
packages/react-google-adk/src/AdkClient.ts:46
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
templates/cloud/app/assistant.tsx:36
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
templates/cloud-clerk/app/assistant.tsx:51
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
templates/default/app/assistant.tsx:30
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
templates/mcp/app/assistant.tsx:36
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
templates/mcp/app/assistant.tsx:43
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
templates/minimal/app/assistant.tsx:15
· conf 0.74
Frontend API reference is not matched by discovered backend routesMINED109
Mutable default argument
CWE-1023
python/assistant-stream/src/assistant_stream/serialization/openai_stream.py:30
· conf 1.00
[MINED109] Mutable default argument in `_create_chunk` (dict): `def _create_chunk(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all ca…MINED111
Bare except continues silently
examples/with-ag-ui/server/agent.py:119
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/assistant-transport-backend/main.py:139
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/assistant-transport-backend/setup.py:140
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/assistant-transport-backend/setup.py:146
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/assistant-ui-sync-server-api/examples/basic_example.py:37
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/assistant-ui-sync-server-api/examples/basic_example.py:68
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/assistant-ui-sync-server-api/examples/basic_example.py:128
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/assistant-ui-sync-server-api/examples/basic_example.py:162
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/assistant-ui-sync-server-api/examples/basic_example.py:199
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED124
requirements.txt entry has no version pin
CWE-1357
python/state-test/requirements.txt:3
· conf 0.90
[MINED124] requirements.txt: `../assistant-stream` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code …SEC005
Command Injection Risk
python/assistant-transport-backend/setup.py:31
· conf 0.50
[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
packages/react/src/mcp-apps/McpAppRenderer.tsx:82
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC045
eval()/exec() on stored or user-supplied data
apps/docs/components/docs/preview-code.server.tsx:88
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
examples/with-chain-of-thought/app/page.tsx:23
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
examples/with-ffmpeg/app/page.tsx:82
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC087
JS: weak Math.random for crypto
packages/react-mcp/src/auth/createOAuthProvider.ts:128
· conf 1.00
[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…SEC125
AI placeholder credential left in source (your-api-key-here style)
packages/react/scripts/test-integration.sh:11
· conf 1.00
[SEC125] AI placeholder credential left in source (your-api-key-here style): AI coding assistants frequently emit placeholder credentials shaped like `API_KEY = "your-api-key-here"` instead of pullin…AIC003
Duplicated implementation block across source files
apps/social-media/src/launches/cloud-dashboard.tsx:9
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
apps/social-media/src/launches/react-ink.tsx:191
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
apps/social-media/src/launches/react-native.tsx:238
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
apps/social-media/src/launches/react-native.tsx:241
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/assistant-stream/src/core/serialization/ui-message-stream/UIMessageStream.ts:21
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/assistant-stream/src/core/utils/stream/SSE.ts:25
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/assistant-stream/src/resumable/stores/redis.ts:57
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/cli/src/codemods/v0-9/edge-package-split.ts:37
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/src/react/primitives/message/MessageAttachments.tsx:31
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/src/react/runtimes/cloud/AssistantCloudThreadHistoryAdapter.ts:170
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/src/runtimes/readonly/ReadonlyThreadRuntimeCore.ts:145
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/src/runtimes/remote-thread-list/empty-thread-core.ts:128
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/src/store/clients/thread-message-client.ts:31
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/src/store/runtime-clients/message-runtime-client.ts:110
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/core/src/types/index.ts:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/react-ag-ui/src/runtime/AgUiThreadRuntimeCore.ts:121
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/react-ag-ui/src/useAgUiRuntime.ts:65
· conf 0.86
Duplicated implementation block across source filesCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
examples/with-ag-ui/server/agent.py:76
· conf 0.95
[COMP001] High cognitive complexity: Function `openai_agent` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested…SEC006
XSS Risk
apps/docs/app/safe-content-frame/page.tsx:24
· conf 0.40
[SEC006] XSS Risk: Direct HTML injection without sanitization.SEC006
XSS Risk
apps/docs/components/docs/samples/mermaid.tsx:27
· conf 0.40
[SEC006] XSS Risk: Direct HTML injection without sanitization.SEC006
XSS Risk
packages/ui/src/components/assistant-ui/mermaid-diagram.tsx:72
· conf 0.40
[SEC006] XSS Risk: Direct HTML injection without sanitization.COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
[COMP001] High cognitive complexity (and 7 more): Same pattern found in 7 additional files. Review if needed.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
[ERR002] Empty Catch Block (and 2 more): Same pattern found in 2 additional files. Review if needed.MINED042
Cpp New Without Delete
CWE-401
apps/docs/scripts/api-reference/discover.mts:81
· conf 1.00
[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak risk.MINED042
Cpp New Without Delete
CWE-401
apps/docs/scripts/api-reference/type-docs.mts:50
· conf 1.00
[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak risk.MINED042
Cpp New Without Delete
CWE-401
apps/docs/scripts/generate-primitive-docs.mts:33
· conf 1.00
[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak risk.MINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 66 more): Same pattern found in 66 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
apps/devtools-extension/background.ts:13
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
apps/devtools-extension/content.ts:5
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
apps/devtools-extension/devtools-panel.tsx:19
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
[MINED045] Ts Non Null Assertion (and 55 more): Same pattern found in 55 additional files. Review if needed.MINED045
Ts Non Null Assertion
CWE-476
apps/docs/app/api/og/route.tsx:41
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
apps/docs/app/(home)/changelog/changelog-list.tsx:33
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
apps/docs/app/ink/terminal-demo.tsx:193
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED049
Print Pii
CWE-532
examples/with-ag-ui/server/agent.py:163
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED049
Print Pii
CWE-532
packages/react-ink/benchmarks/long-thread.bench.tsx:278
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED049
Print Pii
CWE-532
python/assistant-transport-backend/setup.py:98
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED050
Stub Only Function
CWE-1188
[MINED050] Stub Only Function (and 1 more): Same pattern found in 1 additional files. Review if needed.MINED050
Stub Only Function
CWE-1188
python/assistant-stream/src/assistant_stream/create_run.py:248
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
python/assistant-stream/src/assistant_stream/serialization/data_stream.py:23
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
python/assistant-stream/src/assistant_stream/serialization/openai_stream.py:25
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED052
Ts Any Typed
CWE-704
[MINED052] Ts Any Typed (and 27 more): Same pattern found in 27 additional files. Review if needed.MINED052
Ts Any Typed
CWE-704
apps/devtools-extension/devtools-panel.tsx:44
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
examples/with-expo/components/assistant-ui/composer.tsx:24
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
examples/with-expo/components/assistant-ui/message.tsx:51
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED054
Ts As Any
CWE-704
[MINED054] Ts As Any (and 19 more): Same pattern found in 19 additional files. Review if needed.MINED054
Ts As Any
CWE-704
apps/docs/components/home/glowing-effect.tsx:91
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
examples/with-expo/components/assistant-ui/composer.tsx:25
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
examples/with-expo/components/assistant-ui/message.tsx:52
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED055
Npm Install No Lockfile
CWE-1357
examples/with-ag-ui/server/agent.py:5
· conf 1.00
[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.MINED056
React Key As Index
CWE-682
[MINED056] React Key As Index (and 35 more): Same pattern found in 35 additional files. Review if needed.MINED056
React Key As Index
CWE-682
apps/devtools-frame/components/thread/ThreadDetails.tsx:116
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED056
React Key As Index
CWE-682
apps/docs/app/(home)/changelog/changelog-list.tsx:244
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED056
React Key As Index
CWE-682
apps/docs/app/ink/terminal-demo.tsx:144
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED058
React Dangerously Set Html
CWE-79
apps/docs/app/layout.tsx:77
· conf 1.00
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.MINED058
React Dangerously Set Html
CWE-79
packages/ui/src/components/ui/chart.tsx:95
· conf 1.00
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.MINED064
Python Input Call
python/assistant-transport-backend/setup.py:54
· conf 1.00
[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.MINED065
Cors Wildcard
CWE-942CWE-346
python/assistant-stream-hello-world/api/chat/completions/index.py:10
· conf 1.00
[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints.MINED065
Cors Wildcard
CWE-942CWE-346
python/assistant-transport-backend-langgraph/main.py:291
· conf 1.00
[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints.MINED065
Cors Wildcard
CWE-942CWE-346
python/assistant-transport-backend/main.py:82
· conf 1.00
[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints.MINED088
React Conditional Hook
CWE-682
packages/core/src/react/runtimes/RemoteThreadListHookInstanceManager.tsx:174
· conf 1.00
[MINED088] React Conditional Hook: useState/useEffect inside if/loop violates Rules of Hooks.SEC002
Hardcoded API Key
packages/react/scripts/test-integration.sh:11
· conf 0.15
[SEC002] Hardcoded API Key: Hardcoded API key found in source code.SEC020
Secret Printed to Logs
examples/with-ag-ui/server/agent.py:163
· conf 0.10
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
python/assistant-transport-backend/setup.py:98
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 25 more): Same pattern found in 25 additional files. Review if needed.SEC040
innerHTML XSS — template literal with server-supplied data
[SEC040] innerHTML XSS — template literal with server-supplied data (and 7 more): Same pattern found in 7 additional files. Review if needed.SEC045
eval()/exec() on stored or user-supplied data
[SEC045] eval()/exec() on stored or user-supplied data (and 4 more): Same pattern found in 4 additional files. Review if needed.SEC085
JS: child_process.exec with non-literal
[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier (and 5 more): Same pattern found in 5 additional files. Review if needed.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
examples/with-ag-ui/app/MyRuntimeProvider.tsx:29
· conf 0.10
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
examples/with-chain-of-thought/app/api/chat/route.ts:155
· conf 0.10
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
examples/with-resumable-stream/app/api/chat/route.ts:31
· conf 0.10
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 34 more): Same pattern found in 34 additional files. Review if needed.SEC135
Auth/permission check missing on AI-generated endpoint
[SEC135] Auth/permission check missing on AI-generated endpoint (and 2 more): Same pattern found in 2 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/40f38723-8cd5-46aa-827b-ef4ee31632f0/.