https://github.com/elebumm/RedditVideoMakerBot ·
lang: python ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
MINED108 self.attribute used but never assigned in __init__ |
high | 22 |
MINED111 Bare except continues silently |
medium | 11 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 10 |
MINED067 Python Requests No Timeout |
info | 4 |
COMP001 [COMP001] High cognitive complexity: Function `load_yfinanc… |
low | 4 |
MINED064 Python Input Call |
info | 4 |
SEC078 Python: requests without timeout |
high | 4 |
SEC045 eval()/exec() on stored or user-supplied data |
medium | 3 |
SEC132 String concat where the language has interpolation (AI styl… |
low | 3 |
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… |
high | 3 |
MINED107
Missing Python import (NameError at runtime)
CWE-1075
utils/voice.py:43
· conf 1.00
[MINED107] Missing import: `time` used but not imported: The file uses `time.something(...)` but never imports `time`. This raises NameError at runtime the first time the line executes.CORE_NO_TESTS
No test files found
No test files foundJRN009
Secret-like setting is echoed into a password input value
GUI/settings.html:56
· conf 0.83
Secret-like setting is echoed into a password input valueMINED006
Overcatch Baseexception
CWE-705
main.py:120
· conf 1.00
[MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.MINED034
Python Subprocess Shell True
CWE-78
utils/ffmpeg_install.py:71
· conf 1.00
[MINED034] Python Subprocess Shell True: subprocess(..., shell=True) enables command injection.MINED036
Python Os System Call
CWE-78
TTS/engine_wrapper.py:130
· conf 1.00
[MINED036] Python Os System Call: os.system() invokes shell with no escaping.MINED036
Python Os System Call
CWE-78
utils/posttextparser.py:19
· conf 1.00
[MINED036] Python Os System Call: os.system() invokes shell with no escaping.MINED108
self.attribute used but never assigned in __init__
CWE-476
TTS/aws_polly.py:38
· conf 1.00
[MINED108] `self.randomvoice` used but never assigned in __init__: Method `run` of class `AWSPolly` reads `self.randomvoice`, but no assignment to it exists in __init__ (and no class-level fallback).…MINED108
self.attribute used but never assigned in __init__
CWE-476
TTS/elevenlabs.py:16
· conf 1.00
[MINED108] `self.initialize` used but never assigned in __init__: Method `run` of class `elevenlabs` reads `self.initialize`, but no assignment to it exists in __init__ (and no class-level fallback).…MINED108
self.attribute used but never assigned in __init__
CWE-476
TTS/elevenlabs.py:18
· conf 1.00
[MINED108] `self.randomvoice` used but never assigned in __init__: Method `run` of class `elevenlabs` reads `self.randomvoice`, but no assignment to it exists in __init__ (and no class-level fallback…MINED108
self.attribute used but never assigned in __init__
CWE-476
TTS/elevenlabs.py:37
· conf 1.00
[MINED108] `self.initialize` used but never assigned in __init__: Method `randomvoice` of class `elevenlabs` reads `self.initialize`, but no assignment to it exists in __init__ (and no class-level fa…MINED108
self.attribute used but never assigned in __init__
CWE-476
TTS/engine_wrapper.py:73
· conf 1.00
[MINED108] `self.add_periods` used but never assigned in __init__: Method `run` of class `TTSEngine` reads `self.add_periods`, but no assignment to it exists in __init__ (and no class-level fallback)…MINED108
self.attribute used but never assigned in __init__
CWE-476
TTS/engine_wrapper.py:74
· conf 1.00
[MINED108] `self.call_tts` used but never assigned in __init__: Method `run` of class `TTSEngine` reads `self.call_tts`, but no assignment to it exists in __init__ (and no class-level fallback). This…MINED108
self.attribute used but never assigned in __init__
CWE-476
TTS/engine_wrapper.py:81
· conf 1.00
[MINED108] `self.split_post` used but never assigned in __init__: Method `run` of class `TTSEngine` reads `self.split_post`, but no assignment to it exists in __init__ (and no class-level fallback). …MINED108
self.attribute used but never assigned in __init__
CWE-476
TTS/engine_wrapper.py:83
· conf 1.00
[MINED108] `self.call_tts` used but never assigned in __init__: Method `run` of class `TTSEngine` reads `self.call_tts`, but no assignment to it exists in __init__ (and no class-level fallback). This…MINED108
self.attribute used but never assigned in __init__
CWE-476
TTS/engine_wrapper.py:86
· conf 1.00
[MINED108] `self.call_tts` used but never assigned in __init__: Method `run` of class `TTSEngine` reads `self.call_tts`, but no assignment to it exists in __init__ (and no class-level fallback). This…MINED108
self.attribute used but never assigned in __init__
CWE-476
TTS/engine_wrapper.py:98
· conf 1.00
[MINED108] `self.split_post` used but never assigned in __init__: Method `run` of class `TTSEngine` reads `self.split_post`, but no assignment to it exists in __init__ (and no class-level fallback). …MINED108
self.attribute used but never assigned in __init__
CWE-476
TTS/engine_wrapper.py:100
· conf 1.00
[MINED108] `self.call_tts` used but never assigned in __init__: Method `run` of class `TTSEngine` reads `self.call_tts`, but no assignment to it exists in __init__ (and no class-level fallback). This…MINED108
self.attribute used but never assigned in __init__
CWE-476
TTS/engine_wrapper.py:113
· conf 1.00
[MINED108] `self.create_silence_mp3` used but never assigned in __init__: Method `split_post` of class `TTSEngine` reads `self.create_silence_mp3`, but no assignment to it exists in __init__ (and no …MINED108
self.attribute used but never assigned in __init__
CWE-476
TTS/engine_wrapper.py:123
· conf 1.00
[MINED108] `self.call_tts` used but never assigned in __init__: Method `split_post` of class `TTSEngine` reads `self.call_tts`, but no assignment to it exists in __init__ (and no class-level fallback…MINED108
self.attribute used but never assigned in __init__
CWE-476
TTS/openai_tts.py:67
· conf 1.00
[MINED108] `self.randomvoice` used but never assigned in __init__: Method `run` of class `OpenAITTS` reads `self.randomvoice`, but no assignment to it exists in __init__ (and no class-level fallback)…MINED108
self.attribute used but never assigned in __init__
CWE-476
TTS/pyttsx.py:32
· conf 1.00
[MINED108] `self.randomvoice` used but never assigned in __init__: Method `run` of class `pyttsx` reads `self.randomvoice`, but no assignment to it exists in __init__ (and no class-level fallback). T…MINED108
self.attribute used but never assigned in __init__
CWE-476
TTS/streamlabs_polly.py:39
· conf 1.00
[MINED108] `self.randomvoice` used but never assigned in __init__: Method `run` of class `StreamlabsPolly` reads `self.randomvoice`, but no assignment to it exists in __init__ (and no class-level fal…MINED108
self.attribute used but never assigned in __init__
CWE-476
TTS/streamlabs_polly.py:52
· conf 1.00
[MINED108] `self.run` used but never assigned in __init__: Method `run` of class `StreamlabsPolly` reads `self.run`, but no assignment to it exists in __init__ (and no class-level fallback). This rai…MINED108
self.attribute used but never assigned in __init__
CWE-476
TTS/TikTok.py:98
· conf 1.00
[MINED108] `self.random_voice` used but never assigned in __init__: Method `run` of class `TikTok` reads `self.random_voice`, but no assignment to it exists in __init__ (and no class-level fallback).…MINED108
self.attribute used but never assigned in __init__
CWE-476
TTS/TikTok.py:104
· conf 1.00
[MINED108] `self.get_voices` used but never assigned in __init__: Method `run` of class `TikTok` reads `self.get_voices`, but no assignment to it exists in __init__ (and no class-level fallback). Thi…MINED108
self.attribute used but never assigned in __init__
CWE-476
video_creation/final_video.py:39
· conf 1.00
[MINED108] `self.get_latest_ms_progress` used but never assigned in __init__: Method `run` of class `ProgressFfmpeg` reads `self.get_latest_ms_progress`, but no assignment to it exists in __init__ (a…MINED108
self.attribute used but never assigned in __init__
CWE-476
video_creation/final_video.py:63
· conf 1.00
[MINED108] `self.start` used but never assigned in __init__: Method `__enter__` of class `ProgressFfmpeg` reads `self.start`, but no assignment to it exists in __init__ (and no class-level fallback).…MINED108
self.attribute used but never assigned in __init__
CWE-476
video_creation/final_video.py:67
· conf 1.00
[MINED108] `self.stop` used but never assigned in __init__: Method `__exit__` of class `ProgressFfmpeg` reads `self.stop`, but no assignment to it exists in __init__ (and no class-level fallback). Th…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/codeql-analysis.yml:42
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/codeql-analysis.yml:46
· conf 0.90
[MINED115] Action `github/codeql-action/init` pinned to mutable ref `@v2`: `uses: github/codeql-action/init@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/codeql-analysis.yml:60
· conf 0.90
[MINED115] Action `github/codeql-action/autobuild` pinned to mutable ref `@v2`: `uses: github/codeql-action/autobuild@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the acti…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/codeql-analysis.yml:73
· conf 0.90
[MINED115] Action `github/codeql-action/analyze` pinned to mutable ref `@v2`: `uses: github/codeql-action/analyze@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action o…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/fmt.yml:14
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/fmt.yml:16
· conf 0.90
[MINED115] Action `actions/setup-python` pinned to mutable ref `@v5`: `uses: actions/setup-python@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/lint.yml:9
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/lint.yml:10
· conf 0.90
[MINED115] Action `psf/black` pinned to mutable ref `@stable`: `uses: psf/black@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/lint.yml:13
· conf 0.90
[MINED115] Action `isort/isort-action` pinned to mutable ref `@v1`: `uses: isort/isort-action@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/stale.yml:15
· conf 0.90
[MINED115] Action `actions/stale` pinned to mutable ref `@v9`: `uses: actions/stale@v9` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `python:3.10.14-slim` not pinned by digest: `FROM python:3.10.14-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
TTS/openai_tts.py:84
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
TTS/streamlabs_polly.py:49
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
utils/ffmpeg_install.py:21
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC035
Unbounded Resource Allocation — DoS risk
utils/ffmpeg_install.py:37
· conf 1.00
[SEC035] Unbounded Resource Allocation — DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust …SEC078
Python: requests without timeout
TTS/openai_tts.py:84
· conf 1.00
[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-…SEC078
Python: requests without timeout
TTS/streamlabs_polly.py:49
· conf 1.00
[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-…SEC078
Python: requests without timeout
utils/ffmpeg_install.py:21
· conf 1.00
[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
TTS/GTTS.py:19
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
utils/imagenarator.py:74
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC135
Auth/permission check missing on AI-generated endpoint
GUI.py:49
· conf 1.00
[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…AUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.AUC002
[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
GUI.py:70
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
GUI.py:62
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
TTS/engine_wrapper.py:69
· conf 0.95
[COMP001] High cognitive complexity: Function `run` has cognitive complexity 23 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches…DKR001
Docker final stage has no non-root USER
Dockerfile:1
· conf 0.82
Docker final stage has no non-root USERDKR009
Dockerfile separates apt update from install
Dockerfile:3
· conf 0.86
Dockerfile separates apt update from installDKR017
Dockerfile installs dependencies after copying the full source tree
Dockerfile:10
· conf 0.90
Dockerfile installs dependencies after copying the full source treeMINED109
Mutable default argument
CWE-1023
utils/settings.py:96
· conf 1.00
[MINED109] Mutable default argument in `crawl_and_check` (dict): `def crawl_and_check(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across al…MINED111
Bare except continues silently
reddit/subreddit.py:47
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
TTS/engine_wrapper.py:167
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
utils/console.py:107
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
utils/ffmpeg_install.py:61
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
utils/ffmpeg_install.py:77
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
utils/ffmpeg_install.py:137
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
utils/gui_utils.py:50
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
utils/settings.py:34
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
utils/settings.py:115
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
utils/settings.py:132
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
utils/settings.py:146
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.SEC005
Command Injection Risk
TTS/engine_wrapper.py:130
· conf 0.50
[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.SEC005
Command Injection Risk
utils/ffmpeg_install.py:71
· conf 0.50
[SEC005] Command Injection Risk: Unsafe shell execution or eval of user input.SEC012
ZipSlip — Archive Path Traversal
utils/ffmpeg_install.py:37
· conf 1.00
[SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory.SEC015
Insecure Randomness for Security
video_creation/background.py:71
· conf 1.00
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC045
eval()/exec() on stored or user-supplied data
utils/console.py:105
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
utils/gui_utils.py:49
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
utils/settings.py:33
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …WEB003
Public web service has no security.txt
.well-known/security.txt
· conf 0.78
Public web service has no security.txtAIC003
Duplicated implementation block across source files
TTS/streamlabs_polly.py:6
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
utils/settings.py:40
· conf 0.86
Duplicated implementation block across source filesAUC005
[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
TTS/aws_polly.py:33
· conf 0.95
[COMP001] High cognitive complexity: Function `run` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches,…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
TTS/engine_wrapper.py:105
· conf 0.95
[COMP001] High cognitive complexity: Function `split_post` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested b…DKR008
.dockerignore misses sensitive defaults
.dockerignore
· conf 0.72
.dockerignore misses sensitive defaultsDKR011
Dockerfile installs recommended OS packages
Dockerfile:4
· conf 0.72
Dockerfile installs recommended OS packagesDKR011
Dockerfile installs recommended OS packages
Dockerfile:5
· conf 0.72
Dockerfile installs recommended OS packagesDKR012
Dockerfile keeps pip download cache
Dockerfile:10
· conf 0.72
Dockerfile keeps pip download cacheSEC124
TOCTOU file access (os.access then open)
utils/ffmpeg_install.py:17
· conf 1.00
[SEC124] TOCTOU file access (os.access then open): Check-then-use file pattern (access/exists then open) lets an attacker swap the file between check and use (symlink attack). `mktemp` is deprecated …SEC132
String concat where the language has interpolation (AI style drift)
TTS/engine_wrapper.py:110
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…SEC132
String concat where the language has interpolation (AI style drift)
utils/console.py:108
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…SEC132
String concat where the language has interpolation (AI style drift)
utils/settings.py:73
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
[COMP001] High cognitive complexity (and 13 more): Same pattern found in 13 additional files. Review if needed.MINED043
Http Not Https
CWE-319
GUI.py:114
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED050
Stub Only Function
CWE-1188
video_creation/screenshot_downloader.py:120
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED064
Python Input Call
[MINED064] Python Input Call (and 3 more): Same pattern found in 3 additional files. Review if needed.MINED064
Python Input Call
reddit/subreddit.py:26
· conf 1.00
[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.MINED064
Python Input Call
utils/console.py:53
· conf 1.00
[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.MINED064
Python Input Call
utils/ffmpeg_install.py:120
· conf 1.00
[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.MINED067
Python Requests No Timeout
CWE-400
[MINED067] Python Requests No Timeout (and 1 more): Same pattern found in 1 additional files. Review if needed.MINED067
Python Requests No Timeout
CWE-400
TTS/openai_tts.py:84
· conf 1.00
[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.MINED067
Python Requests No Timeout
CWE-400
TTS/streamlabs_polly.py:49
· conf 1.00
[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.MINED067
Python Requests No Timeout
CWE-400
utils/ffmpeg_install.py:21
· conf 1.00
[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.MINED077
Python Open No Context
CWE-772
TTS/aws_polly.py:57
· conf 1.00
[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles.MINED077
Python Open No Context
CWE-772
video_creation/screenshot_downloader.py:39
· conf 1.00
[MINED077] Python Open No Context: fp = open(path) outside with-block leaks file handles.SEC020
Secret Printed to Logs
reddit/subreddit.py:46
· conf 0.10
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC078
Python: requests without timeout
[SEC078] Python: requests without timeout (and 1 more): Same pattern found in 1 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/4cb2d9f1-52ad-4ee3-b137-672182b7b4fb/.