alumnium-hq/alumnium

[COMP001] High cognitive complexity: Function `_node_to_xml` has cognitive complexity 27 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested…

[MINED106] Phantom test coverage: test_drag_slider: Test function `test_drag_slider` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage wi…

[MINED106] Phantom test coverage: test_execute_javascript_to_scroll: Test function `test_execute_javascript_to_scroll` runs code but contains no assert / expect / should call — it passes regardless o…

[MINED106] Phantom test coverage: test_cross_origin_iframe: Test function `test_cross_origin_iframe` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds …

[MINED106] Phantom test coverage: test_select_option: Test function `test_select_option` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverag…

[MINED106] Phantom test coverage: test_waiting_for_requests_and_form_updates: Test function `test_waiting_for_requests_and_form_updates` runs code but contains no assert / expect / should call — it p…

[MINED108] `self._node_to_xml` used but never assigned in __init__: Method `to_str` of class `ChromiumAccessibilityTree` reads `self._node_to_xml`, but no assignment to it exists in __init__ (and no …

[MINED108] `self._to_str` used but never assigned in __init__: Method `_node_to_xml` of class `ChromiumAccessibilityTree` reads `self._to_str`, but no assignment to it exists in __init__ (and no clas…

[MINED108] `self._to_str` used but never assigned in __init__: Method `_node_to_xml` of class `ChromiumAccessibilityTree` reads `self._to_str`, but no assignment to it exists in __init__ (and no clas…

[MINED108] `self._to_str` used but never assigned in __init__: Method `_node_to_xml` of class `ChromiumAccessibilityTree` reads `self._to_str`, but no assignment to it exists in __init__ (and no clas…

[MINED108] `self._node_to_xml` used but never assigned in __init__: Method `_node_to_xml` of class `ChromiumAccessibilityTree` reads `self._node_to_xml`, but no assignment to it exists in __init__ (a…

[MINED108] `self._node_to_xml` used but never assigned in __init__: Method `_node_to_xml` of class `ChromiumAccessibilityTree` reads `self._node_to_xml`, but no assignment to it exists in __init__ (a…

[MINED108] `self.to_str` used but never assigned in __init__: Method `element_by_id` of class `ChromiumAccessibilityTree` reads `self.to_str`, but no assignment to it exists in __init__ (and no class…

[MINED108] `self.to_str` used but never assigned in __init__: Method `scope_to_area` of class `ChromiumAccessibilityTree` reads `self.to_str`, but no assignment to it exists in __init__ (and no class…

[MINED108] `self._from_xml` used but never assigned in __init__: Method `scope_to_area` of class `ChromiumAccessibilityTree` reads `self._from_xml`, but no assignment to it exists in __init__ (and no…

[MINED108] `self._add_raw_ids` used but never assigned in __init__: Method `to_str` of class `UIAutomator2AccessibilityTree` reads `self._add_raw_ids`, but no assignment to it exists in __init__ (and…

[MINED108] `self._add_raw_ids` used but never assigned in __init__: Method `_add_raw_ids` of class `UIAutomator2AccessibilityTree` reads `self._add_raw_ids`, but no assignment to it exists in __init_…

[MINED108] `self.to_str` used but never assigned in __init__: Method `element_by_id` of class `UIAutomator2AccessibilityTree` reads `self.to_str`, but no assignment to it exists in __init__ (and no c…

[MINED108] `self.to_str` used but never assigned in __init__: Method `scope_to_area` of class `UIAutomator2AccessibilityTree` reads `self.to_str`, but no assignment to it exists in __init__ (and no c…

[MINED108] `self._add_raw_ids` used but never assigned in __init__: Method `to_str` of class `XCUITestAccessibilityTree` reads `self._add_raw_ids`, but no assignment to it exists in __init__ (and no …

[MINED108] `self._add_raw_ids` used but never assigned in __init__: Method `_add_raw_ids` of class `XCUITestAccessibilityTree` reads `self._add_raw_ids`, but no assignment to it exists in __init__ (a…

[MINED108] `self.to_str` used but never assigned in __init__: Method `element_by_id` of class `XCUITestAccessibilityTree` reads `self.to_str`, but no assignment to it exists in __init__ (and no class…

[MINED108] `self.to_str` used but never assigned in __init__: Method `scope_to_area` of class `XCUITestAccessibilityTree` reads `self.to_str`, but no assignment to it exists in __init__ (and no class…

[MINED108] `self._stop_server` used but never assigned in __init__: Method `quit` of class `HttpClient` reads `self._stop_server`, but no assignment to it exists in __init__ (and no class-level fallb…

[MINED108] `self._build_server_pid_name` used but never assigned in __init__: Method `_resolve_url` of class `HttpClient` reads `self._build_server_pid_name`, but no assignment to it exists in __init…

[MINED108] `self._stop_server` used but never assigned in __init__: Method `_resolve_url` of class `HttpClient` reads `self._stop_server`, but no assignment to it exists in __init__ (and no class-lev…

[MINED108] `self._wait_for_page_to_load` used but never assigned in __init__: Method `accessibility_tree` of class `SeleniumDriver` reads `self._wait_for_page_to_load`, but no assignment to it exists…

[MINED108] `self._get_all_frame_ids` used but never assigned in __init__: Method `accessibility_tree` of class `SeleniumDriver` reads `self._get_all_frame_ids`, but no assignment to it exists in __in…

[MINED108] `self._build_frame_hierarchy` used but never assigned in __init__: Method `accessibility_tree` of class `SeleniumDriver` reads `self._build_frame_hierarchy`, but no assignment to it exists…

[MINED108] `self._get_frame_chain` used but never assigned in __init__: Method `accessibility_tree` of class `SeleniumDriver` reads `self._get_frame_chain`, but no assignment to it exists in __init__…

[MINED108] `self._normalize_paths` used but never assigned in __init__: Method `invoke` of class `UploadTool` reads `self._normalize_paths`, but no assignment to it exists in __init__ (and no class-l…

[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…

[MINED115] Action `mxschmitt/action-tmate` pinned to mutable ref `@v3`: `uses: mxschmitt/action-tmate@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that m…

[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…

[MINED115] Action `mxschmitt/action-tmate` pinned to mutable ref `@v3`: `uses: mxschmitt/action-tmate@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that m…

[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…

[MINED115] Action `actions-cool/check-user-permission` pinned to mutable ref `@v2`: `uses: actions-cool/check-user-permission@v2` resolves at workflow-run time. Tags and branches can be re-pushed by …

[MINED115] Action `mxschmitt/action-tmate` pinned to mutable ref `@v3`: `uses: mxschmitt/action-tmate@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that m…

[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…

[MINED115] Action `jdx/mise-action` pinned to mutable ref `@v4`: `uses: jdx/mise-action@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-act…

[MINED115] Action `actions/upload-pages-artifact` pinned to mutable ref `@v5`: `uses: actions/upload-pages-artifact@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action…

[MINED115] Action `actions/deploy-pages` pinned to mutable ref `@v5`: `uses: actions/deploy-pages@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …

[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…

[MINED115] Action `pypa/gh-action-pypi-publish` pinned to mutable ref `@release/v1`: `uses: pypa/gh-action-pypi-publish@release/v1` resolves at workflow-run time. Tags and branches can be re-pushed b…

[MINED115] Action `pypa/gh-action-pypi-publish` pinned to mutable ref `@release/v1`: `uses: pypa/gh-action-pypi-publish@release/v1` resolves at workflow-run time. Tags and branches can be re-pushed b…

[MINED115] Action `mxschmitt/action-tmate` pinned to mutable ref `@v3`: `uses: mxschmitt/action-tmate@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that m…

[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…

[MINED115] Action `mxschmitt/action-tmate` pinned to mutable ref `@v3`: `uses: mxschmitt/action-tmate@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that m…

[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…

[MINED115] Action `mxschmitt/action-tmate` pinned to mutable ref `@v3`: `uses: mxschmitt/action-tmate@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that m…

[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…

[MINED115] Action `actions/attest-build-provenance` pinned to mutable ref `@v3`: `uses: actions/attest-build-provenance@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the ac…

[MINED115] Action `mxschmitt/action-tmate` pinned to mutable ref `@v3`: `uses: mxschmitt/action-tmate@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that m…

[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…

[MINED115] Action `actions/attest` pinned to mutable ref `@v4`: `uses: actions/attest@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actio…

[MINED115] Action `mxschmitt/action-tmate` pinned to mutable ref `@v3`: `uses: mxschmitt/action-tmate@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that m…

[MINED118] Dockerfile FROM `debian:bookworm-slim` not pinned by digest: `FROM debian:bookworm-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so eve…

[MINED119] Dockerfile `ADD https://github.com/krallin/tini/releases/download/v0.19.0/tini-${TARGETARCH}`: Dockerfile `ADD <url>` downloads a remote artifact into the image with no integrity check. If…

[MINED122] package.json dep `alumnium` pulled from URL/Git: `dependencies.alumnium` = `file:../../../dist/npm-alumnium` bypasses the npm registry. No integrity hash, no version locking, no registry-s…

[MINED122] package.json dep `alumnium` pulled from URL/Git: `dependencies.alumnium` = `file:../../../dist/npm-alumnium` bypasses the npm registry. No integrity hash, no version locking, no registry-s…

[MINED134] Binary file `packages/java/gradle/wrapper/gradle-wrapper.jar` committed in source repo: `packages/java/gradle/wrapper/gradle-wrapper.jar` is a .jar binary (48,966 bytes) committed to a rep…

[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…

[SEC024] XML External Entity (XXE) — Java parser default: Java XML parsers accept external entity references by default. An attacker can craft XML input that reads server files (file://), exfiltrates…

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…

[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…

[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…

[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…

[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).

[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).

[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../e…

[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../e…

[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…

[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…

Remote install command pipes network code directly to a shell

[COMP001] High cognitive complexity: Function `after_scenario` has cognitive complexity 16 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nest…

Docker final stage has no non-root USER

Compose service `lgtm` image uses the latest tag

Dockerfile ADD downloads remote content

[ERR002] Empty Catch Block: Empty catch blocks hide errors.

[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.

[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …

[SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass…

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

Duplicated implementation block across source files

[COMP001] High cognitive complexity: Function `driver` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branc…

Compose service does not declare a runtime user

Compose service lacks no-new-privileges hardening

.dockerignore misses sensitive defaults

[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…

[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…

[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…

[COMP001] High cognitive complexity (and 7 more): Same pattern found in 7 additional files. Review if needed.

[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed.

[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.

[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.

[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.

[MINED044] Js Console Log Prod (and 4 more): Same pattern found in 4 additional files. Review if needed.

[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.

[MINED045] Ts Non Null Assertion (and 4 more): Same pattern found in 4 additional files. Review if needed.

[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.

[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.

[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.

[MINED050] Stub Only Function (and 4 more): Same pattern found in 4 additional files. Review if needed.

[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.

[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.

[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.

[MINED052] Ts Any Typed (and 4 more): Same pattern found in 4 additional files. Review if needed.

[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.

[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.

[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.

[MINED054] Ts As Any (and 2 more): Same pattern found in 2 additional files. Review if needed.

[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.

[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.

[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.

[MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.

[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…

[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 5 more): Same pattern found in 5 additional files. Review if needed.

[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.

[SEC132] String concat where the language has interpolation (AI style drift) (and 1 more): Same pattern found in 1 additional files. Review if needed.