https://github.com/teng-lin/notebooklm-py.git ·
lang: python ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
MINED111 Bare except continues silently |
medium | 25 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 25 |
MINED108 self.attribute used but never assigned in __init__ |
high | 25 |
MINED106 Phantom test coverage (assertion-free test) |
high | 25 |
MINED107 Missing Python import (NameError at runtime) |
critical | 10 |
AIC003 Duplicated implementation block across source files |
low | 7 |
MINED110 Blocking call inside async function |
high | 5 |
MINED062 Python Dataclass No Fields |
info | 4 |
MINED050 Stub Only Function |
info | 4 |
COMP001 [COMP001] High cognitive complexity: Function `load_yfinanc… |
low | 4 |
MINED018
Unsafe Deserialization Pickle
CWE-502
scripts/rescrub-cassettes.py:178
· conf 1.00
[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data — RCE.MINED107
Missing Python import (NameError at runtime)
CWE-1075
src/notebooklm/_auth/account.py:96
· conf 1.00
[MINED107] Missing import: `email` used but not imported: The file uses `email.something(...)` but never imports `email`. This raises NameError at runtime the first time the line executes.MINED107
Missing Python import (NameError at runtime)
CWE-1075
src/notebooklm/cli/services/login.py:83
· conf 1.00
[MINED107] Missing import: `email` used but not imported: The file uses `email.something(...)` but never imports `email`. This raises NameError at runtime the first time the line executes.MINED107
Missing Python import (NameError at runtime)
CWE-1075
src/notebooklm/cli/services/source_add.py:131
· conf 1.00
[MINED107] Missing import: `warnings` used but not imported: The file uses `warnings.something(...)` but never imports `warnings`. This raises NameError at runtime the first time the line executes.MINED107
Missing Python import (NameError at runtime)
CWE-1075
tests/integration/test_session_integration.py:498
· conf 1.00
[MINED107] Missing import: `http` used but not imported: The file uses `http.something(...)` but never imports `http`. This raises NameError at runtime the first time the line executes.MINED107
Missing Python import (NameError at runtime)
CWE-1075
tests/unit/concurrency/test_auth_load_blocks_loop.py:89
· conf 1.00
[MINED107] Missing import: `html` used but not imported: The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes.MINED107
Missing Python import (NameError at runtime)
CWE-1075
tests/unit/test_auth_refresh.py:49
· conf 1.00
[MINED107] Missing import: `html` used but not imported: The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes.MINED107
Missing Python import (NameError at runtime)
CWE-1075
tests/unit/test_auth_storage.py:331
· conf 1.00
[MINED107] Missing import: `html` used but not imported: The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes.MINED107
Missing Python import (NameError at runtime)
CWE-1075
tests/unit/test_client.py:113
· conf 1.00
[MINED107] Missing import: `html` used but not imported: The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes.MINED107
Missing Python import (NameError at runtime)
CWE-1075
tests/unit/test_cookie_domain_split.py:610
· conf 1.00
[MINED107] Missing import: `enum` used but not imported: The file uses `enum.something(...)` but never imports `enum`. This raises NameError at runtime the first time the line executes.MINED107
Missing Python import (NameError at runtime)
CWE-1075
tests/unit/test_docstrings.py:145
· conf 1.00
[MINED107] Missing import: `html` used but not imported: The file uses `html.something(...)` but never imports `html`. This raises NameError at runtime the first time the line executes.MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/test.yml:48
· conf 0.90
[MINED116] Workflow uses `secrets.NAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.NAME }` lets a PR from any for…SEC079
Python: yaml.load without SafeLoader
scripts/rescrub-cassettes.py:178
· conf 1.00
[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-…SEC116
Ruby YAML.load / Marshal.load on untrusted input
scripts/rescrub-cassettes.py:178
· conf 1.00
[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes — direct RCE on untrusted input. `unsafe_load` is even more dang…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
docs/examples/notes.py:23
· conf 0.95
[COMP001] High cognitive complexity: Function `main` has cognitive complexity 32 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branche…MINED001
Bare Except Pass
CWE-755
docs/examples/notes.py:136
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED001
Bare Except Pass
CWE-755
src/notebooklm/cli/completion.py:41
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED001
Bare Except Pass
CWE-755
src/notebooklm/migration.py:162
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED006
Overcatch Baseexception
CWE-705
src/notebooklm/cli/error_handler.py:133
· conf 1.00
[MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.MINED006
Overcatch Baseexception
CWE-705
src/notebooklm/_source_polling.py:161
· conf 1.00
[MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.MINED106
Phantom test coverage (assertion-free test)
CWE-1126
scripts/check_rpc_health.py:311
· conf 1.00
[MINED106] Phantom test coverage: test_rpc_method: Test function `test_rpc_method` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage with…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
scripts/check_rpc_health.py:352
· conf 1.00
[MINED106] Phantom test coverage: test_rpc_method_with_data: Test function `test_rpc_method_with_data` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Add…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/e2e/test_generation.py:37
· conf 1.00
[MINED106] Phantom test coverage: test_generate_audio_default: Test function `test_generate_audio_default` runs code but contains no assert / expect / should call — it passes regardless of behaviour.…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/e2e/test_generation.py:43
· conf 1.00
[MINED106] Phantom test coverage: test_generate_audio_brief: Test function `test_generate_audio_brief` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Add…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/e2e/test_generation.py:53
· conf 1.00
[MINED106] Phantom test coverage: test_generate_audio_deep_dive_long: Test function `test_generate_audio_deep_dive_long` runs code but contains no assert / expect / should call — it passes regardless…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/e2e/test_generation.py:63
· conf 1.00
[MINED106] Phantom test coverage: test_generate_audio_brief_short: Test function `test_generate_audio_brief_short` runs code but contains no assert / expect / should call — it passes regardless of be…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/e2e/test_generation.py:73
· conf 1.00
[MINED106] Phantom test coverage: test_generate_audio_critique: Test function `test_generate_audio_critique` runs code but contains no assert / expect / should call — it passes regardless of behaviou…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/e2e/test_generation.py:82
· conf 1.00
[MINED106] Phantom test coverage: test_generate_audio_debate: Test function `test_generate_audio_debate` runs code but contains no assert / expect / should call — it passes regardless of behaviour. A…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/e2e/test_generation.py:91
· conf 1.00
[MINED106] Phantom test coverage: test_generate_audio_with_language: Test function `test_generate_audio_with_language` runs code but contains no assert / expect / should call — it passes regardless o…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/e2e/test_generation.py:104
· conf 1.00
[MINED106] Phantom test coverage: test_generate_video_default: Test function `test_generate_video_default` runs code but contains no assert / expect / should call — it passes regardless of behaviour.…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/e2e/test_generation.py:114
· conf 1.00
[MINED106] Phantom test coverage: test_generate_video_explainer_anime: Test function `test_generate_video_explainer_anime` runs code but contains no assert / expect / should call — it passes regardle…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/e2e/test_generation.py:124
· conf 1.00
[MINED106] Phantom test coverage: test_generate_video_brief_whiteboard: Test function `test_generate_video_brief_whiteboard` runs code but contains no assert / expect / should call — it passes regard…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/e2e/test_generation.py:134
· conf 1.00
[MINED106] Phantom test coverage: test_generate_video_with_instructions: Test function `test_generate_video_with_instructions` runs code but contains no assert / expect / should call — it passes rega…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/e2e/test_generation.py:145
· conf 1.00
[MINED106] Phantom test coverage: test_generate_video_kawaii_style: Test function `test_generate_video_kawaii_style` runs code but contains no assert / expect / should call — it passes regardless of …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/e2e/test_generation.py:154
· conf 1.00
[MINED106] Phantom test coverage: test_generate_video_watercolor_style: Test function `test_generate_video_watercolor_style` runs code but contains no assert / expect / should call — it passes regard…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/e2e/test_generation.py:163
· conf 1.00
[MINED106] Phantom test coverage: test_generate_video_auto_style: Test function `test_generate_video_auto_style` runs code but contains no assert / expect / should call — it passes regardless of beha…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/e2e/test_generation.py:180
· conf 1.00
[MINED106] Phantom test coverage: test_generate_cinematic_video_default: Test function `test_generate_cinematic_video_default` runs code but contains no assert / expect / should call — it passes rega…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/e2e/test_generation.py:187
· conf 1.00
[MINED106] Phantom test coverage: test_generate_cinematic_video_with_instructions: Test function `test_generate_cinematic_video_with_instructions` runs code but contains no assert / expect / should c…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/e2e/test_generation.py:197
· conf 1.00
[MINED106] Phantom test coverage: test_generate_cinematic_video_with_language: Test function `test_generate_cinematic_video_with_language` runs code but contains no assert / expect / should call — it…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/e2e/test_generation.py:211
· conf 1.00
[MINED106] Phantom test coverage: test_generate_quiz_default: Test function `test_generate_quiz_default` runs code but contains no assert / expect / should call — it passes regardless of behaviour. A…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/e2e/test_generation.py:221
· conf 1.00
[MINED106] Phantom test coverage: test_generate_quiz_with_options: Test function `test_generate_quiz_with_options` runs code but contains no assert / expect / should call — it passes regardless of be…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/e2e/test_generation.py:232
· conf 1.00
[MINED106] Phantom test coverage: test_generate_quiz_fewer_easy: Test function `test_generate_quiz_fewer_easy` runs code but contains no assert / expect / should call — it passes regardless of behavi…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/e2e/test_generation.py:246
· conf 1.00
[MINED106] Phantom test coverage: test_generate_flashcards_default: Test function `test_generate_flashcards_default` runs code but contains no assert / expect / should call — it passes regardless of …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/e2e/test_generation.py:256
· conf 1.00
[MINED106] Phantom test coverage: test_generate_flashcards_with_options: Test function `test_generate_flashcards_with_options` runs code but contains no assert / expect / should call — it passes rega…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/e2e/test_generation.py:271
· conf 1.00
[MINED106] Phantom test coverage: test_generate_infographic_default: Test function `test_generate_infographic_default` runs code but contains no assert / expect / should call — it passes regardless o…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/_lint/test_no_deprecated_public_rpc_call_kwargs.py:97
· conf 1.00
[MINED108] `self.generic_visit` used but never assigned in __init__: Method `_visit_function` of class `_OffenderCollector` reads `self.generic_visit`, but no assignment to it exists in __init__ (and…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/_lint/test_no_deprecated_public_rpc_call_kwargs.py:102
· conf 1.00
[MINED108] `self._visit_function` used but never assigned in __init__: Method `visit_FunctionDef` of class `_OffenderCollector` reads `self._visit_function`, but no assignment to it exists in __init_…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/_lint/test_no_deprecated_public_rpc_call_kwargs.py:105
· conf 1.00
[MINED108] `self._visit_function` used but never assigned in __init__: Method `visit_AsyncFunctionDef` of class `_OffenderCollector` reads `self._visit_function`, but no assignment to it exists in __…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/_lint/test_no_deprecated_public_rpc_call_kwargs.py:118
· conf 1.00
[MINED108] `self.generic_visit` used but never assigned in __init__: Method `visit_Call` of class `_OffenderCollector` reads `self.generic_visit`, but no assignment to it exists in __init__ (and no c…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/unit/test_decoder.py:125
· conf 1.00
[MINED108] `self._chunk_record` used but never assigned in __init__: Method `test_logs_debug_but_parses_mismatched_byte_count_with_valid_json` of class `TestParseChunkedResponse` reads `self._chunk_r…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/unit/test_decoder.py:144
· conf 1.00
[MINED108] `self._chunk_record` used but never assigned in __init__: Method `test_skips_byte_count_without_payload_below_threshold` of class `TestParseChunkedResponse` reads `self._chunk_record`, but…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/unit/test_decoder.py:154
· conf 1.00
[MINED108] `self._chunk_record` used but never assigned in __init__: Method `test_skips_payload_split_across_lines_below_threshold` of class `TestParseChunkedResponse` reads `self._chunk_record`, but…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/unit/test_decoder.py:165
· conf 1.00
[MINED108] `self._chunk_record` used but never assigned in __init__: Method `test_skips_extra_non_json_lines_before_and_after_valid_chunk` of class `TestParseChunkedResponse` reads `self._chunk_recor…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/unit/test_decoder.py:535
· conf 1.00
[MINED108] `self._build_raw` used but never assigned in __init__: Method `test_scenario_a_empty_response` of class `TestIssue114Reproduction` reads `self._build_raw`, but no assignment to it exists i…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/unit/test_decoder.py:544
· conf 1.00
[MINED108] `self._build_raw` used but never assigned in __init__: Method `test_scenario_b_non_rpc_json` of class `TestIssue114Reproduction` reads `self._build_raw`, but no assignment to it exists in …MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/unit/test_decoder.py:553
· conf 1.00
[MINED108] `self._build_raw` used but never assigned in __init__: Method `test_scenario_c_null_result_data` of class `TestIssue114Reproduction` reads `self._build_raw`, but no assignment to it exists…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/unit/test_decoder.py:562
· conf 1.00
[MINED108] `self._build_raw` used but never assigned in __init__: Method `test_scenario_d_short_item` of class `TestIssue114Reproduction` reads `self._build_raw`, but no assignment to it exists in __…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/unit/test_decoder.py:570
· conf 1.00
[MINED108] `self._build_raw` used but never assigned in __init__: Method `test_all_scenarios_include_method_id` of class `TestIssue114Reproduction` reads `self._build_raw`, but no assignment to it ex…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/unit/test_decoder.py:579
· conf 1.00
[MINED108] `self._build_raw` used but never assigned in __init__: Method `test_null_result_includes_found_ids` of class `TestIssue114Reproduction` reads `self._build_raw`, but no assignment to it exi…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/unit/test_decoder.py:616
· conf 1.00
[MINED108] `self._build_raw` used but never assigned in __init__: Method `test_not_found_raises_client_error` of class `TestNullResultStatusCodeEnrichment` reads `self._build_raw`, but no assignment …MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/unit/test_decoder.py:626
· conf 1.00
[MINED108] `self._assert_no_auth_patterns` used but never assigned in __init__: Method `test_not_found_raises_client_error` of class `TestNullResultStatusCodeEnrichment` reads `self._assert_no_auth_p…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/unit/test_decoder.py:631
· conf 1.00
[MINED108] `self._build_raw` used but never assigned in __init__: Method `test_permission_denied_raises_client_error` of class `TestNullResultStatusCodeEnrichment` reads `self._build_raw`, but no ass…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/unit/test_decoder.py:637
· conf 1.00
[MINED108] `self._assert_no_auth_patterns` used but never assigned in __init__: Method `test_permission_denied_raises_client_error` of class `TestNullResultStatusCodeEnrichment` reads `self._assert_n…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/unit/test_decoder.py:647
· conf 1.00
[MINED108] `self._build_raw` used but never assigned in __init__: Method `test_internal_code_raises_plain_rpc_error` of class `TestNullResultStatusCodeEnrichment` reads `self._build_raw`, but no assi…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/unit/test_decoder.py:656
· conf 1.00
[MINED108] `self._assert_no_auth_patterns` used but never assigned in __init__: Method `test_internal_code_raises_plain_rpc_error` of class `TestNullResultStatusCodeEnrichment` reads `self._assert_no…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/unit/test_decoder.py:665
· conf 1.00
[MINED108] `self._build_raw` used but never assigned in __init__: Method `test_unauthenticated_code_does_not_become_auth_error` of class `TestNullResultStatusCodeEnrichment` reads `self._build_raw`, …MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/unit/test_decoder.py:672
· conf 1.00
[MINED108] `self._assert_no_auth_patterns` used but never assigned in __init__: Method `test_unauthenticated_code_does_not_become_auth_error` of class `TestNullResultStatusCodeEnrichment` reads `self…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/unit/test_decoder.py:677
· conf 1.00
[MINED108] `self._build_raw` used but never assigned in __init__: Method `test_out_of_range_code_falls_through_to_generic_error` of class `TestNullResultStatusCodeEnrichment` reads `self._build_raw`,…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/unit/test_decoder.py:688
· conf 1.00
[MINED108] `self._build_raw` used but never assigned in __init__: Method `test_multi_element_error_info_falls_through` of class `TestNullResultStatusCodeEnrichment` reads `self._build_raw`, but no as…MINED108
self.attribute used but never assigned in __init__
CWE-476
tests/unit/test_decoder.py:703
· conf 1.00
[MINED108] `self._build_raw` used but never assigned in __init__: Method `test_allow_null_suppresses_enrichment_for_client_error_codes` of class `TestNullResultStatusCodeEnrichment` reads `self._buil…MINED110
Blocking call inside async function
CWE-833
tests/unit/concurrency/test_auth_load_blocks_loop.py:98
· conf 1.00
[MINED110] Blocking call `time.sleep` inside async function `test_from_storage_save_does_not_block_event_loop`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it st…MINED110
Blocking call inside async function
CWE-833
tests/unit/concurrency/test_auth_load_blocks_loop.py:169
· conf 1.00
[MINED110] Blocking call `time.sleep` inside async function `test_fetch_tokens_with_domains_save_does_not_block_event_loop`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `asy…MINED110
Blocking call inside async function
CWE-833
tests/unit/test_auth_session.py:69
· conf 1.00
[MINED110] Blocking call `requests.append` inside async function `test_refresh_auth_session_default_account_uses_bare_base_url`: `requests.append` is a synchronous (blocking) call. When invoked insid…MINED110
Blocking call inside async function
CWE-833
tests/unit/test_auth_session.py:90
· conf 1.00
[MINED110] Blocking call `requests.append` inside async function `test_refresh_auth_session_selected_account_uses_account_email_url`: `requests.append` is a synchronous (blocking) call. When invoked …MINED110
Blocking call inside async function
CWE-833
tests/unit/test_auth_session.py:107
· conf 1.00
[MINED110] Blocking call `requests.append` inside async function `test_refresh_auth_session_selected_account_uses_authuser_url`: `requests.append` is a synchronous (blocking) call. When invoked insid…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/claude.yml:41
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/codeql.yml:21
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/codeql.yml:24
· conf 0.90
[MINED115] Action `github/codeql-action/init` pinned to mutable ref `@v4`: `uses: github/codeql-action/init@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/codeql.yml:38
· conf 0.90
[MINED115] Action `github/codeql-action/analyze` pinned to mutable ref `@v4`: `uses: github/codeql-action/analyze@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action o…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/dependency-audit.yml:28
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/dependency-audit.yml:29
· conf 0.90
[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v7`: `uses: astral-sh/setup-uv@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/nightly.yml:104
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/nightly.yml:109
· conf 0.90
[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/nightly.yml:138
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/rpc-health.yml:32
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/rpc-health.yml:35
· conf 0.90
[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/rpc-health.yml:217
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/testpypi-publish.yml:22
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/testpypi-publish.yml:25
· conf 0.90
[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/testpypi-publish.yml:54
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/testpypi-publish.yml:98
· conf 0.90
[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v7`: `uses: actions/download-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test.yml:21
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test.yml:24
· conf 0.90
[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test.yml:30
· conf 0.90
[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v7`: `uses: astral-sh/setup-uv@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test.yml:101
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test.yml:104
· conf 0.90
[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test.yml:110
· conf 0.90
[MINED115] Action `astral-sh/setup-uv` pinned to mutable ref `@v7`: `uses: astral-sh/setup-uv@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/test.yml:124
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/verify-package.yml:32
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/verify-package.yml:35
· conf 0.90
[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED131
pre-commit hook pinned to branch/tag instead of SHA
CWE-829
.pre-commit-config.yaml:2
· conf 0.90
[MINED131] pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.15.12`: `.pre-commit-config.yaml` references `https://github.com/astral-sh/ruff-pre-commit` at `rev…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
docs/examples/bulk-import.py:61
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
docs/examples/chat.py:28
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
docs/examples/notes.py:34
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC103
LDAP injection — non-constant search filter
src/notebooklm/_artifact_formatters.py:35
· conf 1.00
[SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.SEC103
LDAP injection — non-constant search filter
src/notebooklm/cli/skill.py:51
· conf 1.00
[SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
src/notebooklm/cli/error_handler.py:51
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
src/notebooklm/cli/rendering.py:87
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…AIC004
Suspicious implementation file appears unreferenced
tests/scripts/check_cassettes_clean.py:1
· conf 0.78
Suspicious implementation file appears unreferencedAUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.ERR001
[ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
src/notebooklm/cli/completion.py:41
· conf 1.00
[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.MINED111
Bare except continues silently
docs/examples/bulk-import.py:64
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
docs/examples/bulk-import.py:75
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
docs/examples/chat.py:102
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
docs/examples/notes.py:152
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
scripts/check_rpc_health.py:909
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
scripts/check_rpc_health.py:925
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
scripts/check_rpc_health.py:941
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
scripts/check_rpc_health.py:950
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
scripts/diagnose_get_notebook.py:130
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tests/e2e/conftest.py:365
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tests/e2e/conftest.py:426
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tests/e2e/conftest.py:550
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tests/e2e/conftest.py:619
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tests/e2e/conftest.py:645
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tests/e2e/conftest.py:815
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tests/e2e/test_downloads.py:132
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tests/integration/concurrency/helpers.py:249
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tests/integration/concurrency/test_add_file_toctou.py:235
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tests/integration/test_chat_delete_conversation_vcr.py:144
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tests/integration/test_chat_multi_source_vcr.py:277
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tests/scripts/setup-generation-notebook.py:74
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tests/unit/test_cookie_persistence.py:120
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tests/unit/test_migration_lock.py:91
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tests/unit/test_refresh_lock_registry.py:343
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tests/unit/test_windows_compatibility.py:312
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.SEC134
AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
src/notebooklm/_sharing.py:30
· conf 1.00
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…SEC136
AI-typical over-broad exception handler swallowing all errors
src/notebooklm/cli/completion.py:24
· conf 1.00
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…WEB003
Public web service has no security.txt
.well-known/security.txt
· conf 0.78
Public web service has no security.txtAIC002
Source file name looks like an AI patch artifact
src/notebooklm/cli/services/source_clean.py:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
tests/scripts/check_cassettes_clean.py:1
· conf 0.62
Source file name looks like an AI patch artifactAIC003
Duplicated implementation block across source files
scripts/check_workflow_secret_gates.py:98
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/notebooklm/rpc/__init__.py:62
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/notebooklm/types.py:66
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/notebooklm/types.py:114
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
tests/integration/conftest.py:31
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
tests/unit/conftest.py:33
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
tests/unit/conftest.py:71
· conf 0.86
Duplicated implementation block across source filesCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
docs/examples/bulk-import.py:46
· conf 0.95
[COMP001] High cognitive complexity: Function `main` has cognitive complexity 12 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branche…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
docs/examples/research-to-podcast.py:25
· conf 0.95
[COMP001] High cognitive complexity: Function `main` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches…SEC132
String concat where the language has interpolation (AI style drift)
scripts/check_ci_install_parity.py:187
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…WEB005
robots.txt does not advertise a sitemap
tests/cassettes/artifacts_delete.yaml
· conf 0.74
robots.txt does not advertise a sitemapCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
[COMP001] High cognitive complexity (and 61 more): Same pattern found in 61 additional files. Review if needed.MINED043
Http Not Https
CWE-319
src/notebooklm/cli/services/source_add.py:113
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
src/notebooklm/research.py:58
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED047
Emoji In Source
src/notebooklm/cli/language.py:67
· conf 1.00
[MINED047] Emoji In Source: Emoji ✅ ❌ 🚀 in code/comments — common AI output unless explicitly requested.MINED049
Print Pii
CWE-532
scripts/diagnose_get_notebook.py:140
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED050
Stub Only Function
CWE-1188
[MINED050] Stub Only Function (and 7 more): Same pattern found in 7 additional files. Review if needed.MINED050
Stub Only Function
CWE-1188
docs/examples/notes.py:137
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
src/notebooklm/_auth/session.py:24
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
src/notebooklm/cli/agent.py:12
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED055
Npm Install No Lockfile
CWE-1357
[MINED055] Npm Install No Lockfile (and 1 more): Same pattern found in 1 additional files. Review if needed.MINED055
Npm Install No Lockfile
CWE-1357
docs/examples/bulk-import.py:11
· conf 1.00
[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.MINED055
Npm Install No Lockfile
CWE-1357
docs/examples/quickstart.py:12
· conf 1.00
[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.MINED055
Npm Install No Lockfile
CWE-1357
docs/examples/research-to-podcast.py:11
· conf 1.00
[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.MINED062
Python Dataclass No Fields
[MINED062] Python Dataclass No Fields (and 11 more): Same pattern found in 11 additional files. Review if needed.MINED062
Python Dataclass No Fields
scripts/check_ci_install_parity.py:47
· conf 1.00
[MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.MINED062
Python Dataclass No Fields
src/notebooklm/_middleware.py:40
· conf 1.00
[MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.MINED062
Python Dataclass No Fields
src/notebooklm/_request_types.py:67
· conf 1.00
[MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.SEC007
Unsafe Deserialization
scripts/rescrub-cassettes.py:178
· conf 0.10
[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.SEC020
Secret Printed to Logs
scripts/diagnose_get_notebook.py:140
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
src/notebooklm/_middleware_auth_refresh.py:213
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 12 more): Same pattern found in 12 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/75c7c183-8ca9-4413-9906-2ac2428ad799/.