https://github.com/kulturpool/EDMLib.git ·
lang: python ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
MINED108 self.attribute used but never assigned in __init__ |
high | 22 |
MINED106 Phantom test coverage (assertion-free test) |
high | 15 |
COMP001 [COMP001] High cognitive complexity: Function `load_yfinanc… |
low | 4 |
MINED043 Http Not Https |
info | 4 |
CORE_NO_LICENSE No LICENSE file |
low | 1 |
DKR007 Docker build context has no .dockerignore |
medium | 1 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 1 |
DKR012 Dockerfile keeps pip download cache |
low | 1 |
DKC010 Compose service lacks no-new-privileges hardening |
low | 1 |
MINED126 GHA workflow container/services image unpinned |
high | 1 |
MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/edm/test_edm_classes.py:18
· conf 1.00
[MINED106] Phantom test coverage: test_validation_cho_and_aggregation_id: Test function `test_validation_cho_and_aggregation_id` runs code but contains no assert / expect / should call — it passes re…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/edm/test_edm_classes.py:25
· conf 1.00
[MINED106] Phantom test coverage: test_validation_skos_pref_label: Test function `test_validation_skos_pref_label` runs code but contains no assert / expect / should call — it passes regardless of be…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/edm/test_edm_classes.py:62
· conf 1.00
[MINED106] Phantom test coverage: test_validation_skos_pref_label_multi_none_lang_tags_fail: Test function `test_validation_skos_pref_label_multi_none_lang_tags_fail` runs code but contains no assert…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/edm/test_edm_classes.py:75
· conf 1.00
[MINED106] Phantom test coverage: test_validation_skos_pref_label_single_missing_tag_raises: Test function `test_validation_skos_pref_label_single_missing_tag_raises` runs code but contains no assert…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/edm/test_edm_classes.py:140
· conf 1.00
[MINED106] Phantom test coverage: test_edm_type_validation: Test function `test_edm_type_validation` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/edm/test_edm_providedCHO.py:22
· conf 1.00
[MINED106] Phantom test coverage: test_providedcho_missing_identifier_raises: Test function `test_providedcho_missing_identifier_raises` runs code but contains no assert / expect / should call — it p…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/edm/test_edm_providedCHO.py:36
· conf 1.00
[MINED106] Phantom test coverage: test_providedcho_empty_identifier_raises: Test function `test_providedcho_empty_identifier_raises` runs code but contains no assert / expect / should call — it passe…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/edm/test_rights.py:37
· conf 1.00
[MINED106] Phantom test coverage: test_for_valid_statements: Test function `test_for_valid_statements` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Add…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/edm/test_rights.py:49
· conf 1.00
[MINED106] Phantom test coverage: test_for_invalid_statements: Test function `test_for_invalid_statements` runs code but contains no assert / expect / should call — it passes regardless of behaviour.…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/edm/test_uri_ref.py:6
· conf 1.00
[MINED106] Phantom test coverage: test_invalid_uriref_raises_exception: Test function `test_invalid_uriref_raises_exception` runs code but contains no assert / expect / should call — it passes regard…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/parser/test_aggregation_uri_validation.py:5
· conf 1.00
[MINED106] Phantom test coverage: test_parse_edm_xml: Test function `test_parse_edm_xml` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverag…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/parser/test_aggregation_uri_validation.py:9
· conf 1.00
[MINED106] Phantom test coverage: test_construct_programmatically: Test function `test_construct_programmatically` runs code but contains no assert / expect / should call — it passes regardless of be…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/parser/test_parser.py:18
· conf 1.00
[MINED106] Phantom test coverage: test_validation_edm_type_with_lang_raises: Test function `test_validation_edm_type_with_lang_raises` runs code but contains no assert / expect / should call — it pas…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/parser/test_parser.py:62
· conf 1.00
[MINED106] Phantom test coverage: test_parser_empty_element_and_invalid_ref: Test function `test_parser_empty_element_and_invalid_ref` runs code but contains no assert / expect / should call — it pas…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/parser/test_rights.py:6
· conf 1.00
[MINED106] Phantom test coverage: test_missing_edm_rights: Test function `test_missing_edm_rights` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds li…MINED108
self.attribute used but never assigned in __init__
CWE-476
edmlib/edm/base.py:49
· conf 1.00
[MINED108] `self.label` used but never assigned in __init__: Method `get_triples` of class `EDM_BaseClass` reads `self.label`, but no assignment to it exists in __init__ (and no class-level fallback)…MINED108
self.attribute used but never assigned in __init__
CWE-476
edmlib/edm/base.py:52
· conf 1.00
[MINED108] `self.model_fields` used but never assigned in __init__: Method `get_triples` of class `EDM_BaseClass` reads `self.model_fields`, but no assignment to it exists in __init__ (and no class-l…MINED108
self.attribute used but never assigned in __init__
CWE-476
edmlib/edm/enums.py:204
· conf 1.00
[MINED108] `self.value` used but never assigned in __init__: Method `is_optional` of class `CARDINALITY` reads `self.value`, but no assignment to it exists in __init__ (and no class-level fallback). …MINED108
self.attribute used but never assigned in __init__
CWE-476
edmlib/edm/record.py:102
· conf 1.00
[MINED108] `self.get_rdf_graph` used but never assigned in __init__: Method `serialize` of class `EDM_Record` reads `self.get_rdf_graph`, but no assignment to it exists in __init__ (and no class-leve…MINED108
self.attribute used but never assigned in __init__
CWE-476
edmlib/edm/record.py:106
· conf 1.00
[MINED108] `self.get_rdf_graph` used but never assigned in __init__: Method `get_framed_json_ld` of class `EDM_Record` reads `self.get_rdf_graph`, but no assignment to it exists in __init__ (and no c…MINED108
self.attribute used but never assigned in __init__
CWE-476
edmlib/parser.py:138
· conf 1.00
[MINED108] `self.get_many_ref` used but never assigned in __init__: Method `get_single_ref` of class `EDM_Parser` reads `self.get_many_ref`, but no assignment to it exists in __init__ (and no class-l…MINED108
self.attribute used but never assigned in __init__
CWE-476
edmlib/parser.py:234
· conf 1.00
[MINED108] `self.get_single_ref` used but never assigned in __init__: Method `parse_single_class` of class `EDM_Parser` reads `self.get_single_ref`, but no assignment to it exists in __init__ (and no…MINED108
self.attribute used but never assigned in __init__
CWE-476
edmlib/parser.py:236
· conf 1.00
[MINED108] `self.get_aggregation` used but never assigned in __init__: Method `parse_single_class` of class `EDM_Parser` reads `self.get_aggregation`, but no assignment to it exists in __init__ (and …MINED108
self.attribute used but never assigned in __init__
CWE-476
edmlib/parser.py:242
· conf 1.00
[MINED108] `self.get_instance_triples` used but never assigned in __init__: Method `parse_single_class` of class `EDM_Parser` reads `self.get_instance_triples`, but no assignment to it exists in __in…MINED108
self.attribute used but never assigned in __init__
CWE-476
edmlib/parser.py:250
· conf 1.00
[MINED108] `self.get_webresources` used but never assigned in __init__: Method `parse_many_class` of class `EDM_Parser` reads `self.get_webresources`, but no assignment to it exists in __init__ (and …MINED108
self.attribute used but never assigned in __init__
CWE-476
edmlib/parser.py:252
· conf 1.00
[MINED108] `self.get_many_ref` used but never assigned in __init__: Method `parse_many_class` of class `EDM_Parser` reads `self.get_many_ref`, but no assignment to it exists in __init__ (and no class…MINED108
self.attribute used but never assigned in __init__
CWE-476
edmlib/parser.py:259
· conf 1.00
[MINED108] `self.get_instance_triples` used but never assigned in __init__: Method `parse_many_class` of class `EDM_Parser` reads `self.get_instance_triples`, but no assignment to it exists in __init…MINED108
self.attribute used but never assigned in __init__
CWE-476
edmlib/parser.py:266
· conf 1.00
[MINED108] `self.parse_single_class` used but never assigned in __init__: Method `parse` of class `EDM_Parser` reads `self.parse_single_class`, but no assignment to it exists in __init__ (and no clas…MINED108
self.attribute used but never assigned in __init__
CWE-476
edmlib/parser.py:267
· conf 1.00
[MINED108] `self.parse_single_class` used but never assigned in __init__: Method `parse` of class `EDM_Parser` reads `self.parse_single_class`, but no assignment to it exists in __init__ (and no clas…MINED108
self.attribute used but never assigned in __init__
CWE-476
edmlib/parser.py:268
· conf 1.00
[MINED108] `self.parse_many_class` used but never assigned in __init__: Method `parse` of class `EDM_Parser` reads `self.parse_many_class`, but no assignment to it exists in __init__ (and no class-le…MINED108
self.attribute used but never assigned in __init__
CWE-476
edmlib/parser.py:269
· conf 1.00
[MINED108] `self.parse_many_class` used but never assigned in __init__: Method `parse` of class `EDM_Parser` reads `self.parse_many_class`, but no assignment to it exists in __init__ (and no class-le…MINED108
self.attribute used but never assigned in __init__
CWE-476
edmlib/parser.py:270
· conf 1.00
[MINED108] `self.parse_many_class` used but never assigned in __init__: Method `parse` of class `EDM_Parser` reads `self.parse_many_class`, but no assignment to it exists in __init__ (and no class-le…MINED108
self.attribute used but never assigned in __init__
CWE-476
edmlib/parser.py:271
· conf 1.00
[MINED108] `self.parse_many_class` used but never assigned in __init__: Method `parse` of class `EDM_Parser` reads `self.parse_many_class`, but no assignment to it exists in __init__ (and no class-le…MINED108
self.attribute used but never assigned in __init__
CWE-476
edmlib/parser.py:272
· conf 1.00
[MINED108] `self.parse_many_class` used but never assigned in __init__: Method `parse` of class `EDM_Parser` reads `self.parse_many_class`, but no assignment to it exists in __init__ (and no class-le…MINED108
self.attribute used but never assigned in __init__
CWE-476
edmlib/parser.py:273
· conf 1.00
[MINED108] `self.parse_many_class` used but never assigned in __init__: Method `parse` of class `EDM_Parser` reads `self.parse_many_class`, but no assignment to it exists in __init__ (and no class-le…MINED108
self.attribute used but never assigned in __init__
CWE-476
edmlib/parser.py:274
· conf 1.00
[MINED108] `self.parse_many_class` used but never assigned in __init__: Method `parse` of class `EDM_Parser` reads `self.parse_many_class`, but no assignment to it exists in __init__ (and no class-le…MINED108
self.attribute used but never assigned in __init__
CWE-476
edmlib/shared_types.py:29
· conf 1.00
[MINED108] `self.value` used but never assigned in __init__: Method `is_optional` of class `CARDINALITY` reads `self.value`, but no assignment to it exists in __init__ (and no class-level fallback). …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/publish-to-pypi.yml:18
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
.devcontainer/Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `python:3.12.9` not pinned by digest: `FROM python:3.12.9` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is po…MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/publish-to-pypi.yml:13
· conf 0.90
[MINED126] Workflow container/services image `registry.kpool.at/kulturpool/development-operations/ci-cd/docker-images/poetry-packaging/poetry-packaging:1.1.1` unpinned: `container/services image: reg…SEC078
Python: requests without timeout
edmlib/edm/record.py:130
· conf 1.00
[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
edmlib/parser.py:227
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…DKR007
Docker build context has no .dockerignore
.dockerignore
· conf 0.90
Docker build context has no .dockerignoreMINED109
Mutable default argument
CWE-1023
edmlib/edm/jsonld_cached_documentloader.py:12
· conf 1.00
[MINED109] Mutable default argument in `cached_loader` (dict): `def cached_loader(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all ca…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
edmlib/edm/base.py:37
· conf 0.95
[COMP001] High cognitive complexity: Function `get_triples` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested …COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
edmlib/edm/record.py:65
· conf 0.95
[COMP001] High cognitive complexity: Function `get_rdf_graph` has cognitive complexity 12 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — neste…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
edmlib/edm/validation/edm_rights.py:58
· conf 0.95
[COMP001] High cognitive complexity: Function `assert_valid_statement` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understan…CORE_NO_LICENSE
No LICENSE file
No LICENSE fileDKC006
Compose service does not declare a runtime user
.devcontainer/compose.yml:1
· conf 0.56
Compose service does not declare a runtime userDKC010
Compose service lacks no-new-privileges hardening
.devcontainer/compose.yml:1
· conf 0.62
Compose service lacks no-new-privileges hardeningDKR012
Dockerfile keeps pip download cache
.devcontainer/Dockerfile:16
· conf 0.72
Dockerfile keeps pip download cacheCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
[COMP001] High cognitive complexity (and 1 more): Same pattern found in 1 additional files. Review if needed.MINED043
Http Not Https
CWE-319
[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed.MINED043
Http Not Https
CWE-319
edmlib/edm/classes/service.py:24
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
edmlib/edm/enums.py:17
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
edmlib/edm/validation/3d_vocabularies.py:7
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED050
Stub Only Function
CWE-1188
edmlib/parser.py:241
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED067
Python Requests No Timeout
CWE-400
edmlib/edm/record.py:130
· conf 1.00
[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/6eb8cbf3-dacf-4c7a-894e-f278de8ac11c/.