https://github.com/frappe/erpnext.git ·
lang: python ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
MINED108 self.attribute used but never assigned in __init__ |
high | 25 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 25 |
MINED126 GHA workflow container/services image unpinned |
high | 5 |
AIC003 Duplicated implementation block across source files |
low | 5 |
SEC128 Async function without await — fire-and-forget Promise (AI … |
high | 3 |
MINED056 React Key As Index |
info | 3 |
MINED050 Stub Only Function |
info | 3 |
MINED106 Phantom test coverage (assertion-free test) |
high | 3 |
COMP001 [COMP001] High cognitive complexity: Function `load_yfinanc… |
low | 3 |
SEC041 Tabnabbing — target="_blank" without rel="noopener noreferr… |
medium | 3 |
MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/server-tests-mariadb.yml:164
· conf 0.90
[MINED116] Workflow uses `secrets.CODECOV_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CODECOV_TOKEN }` lets…MINED001
Bare Except Pass
CWE-755
erpnext/accounts/doctype/bank_transaction_rule/bank_transaction_rule.py:117
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED009
Floats For Money
CWE-682
erpnext/accounts/doctype/bank_account/bank_account.py:191
· conf 1.00
[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal.MINED106
Phantom test coverage (assertion-free test)
CWE-1126
erpnext/accounts/doctype/bank_statement_import_log/test_bank_statement_import_log.py:89
· conf 1.00
[MINED106] Phantom test coverage: test_sample_statement_import_log: Test function `test_sample_statement_import_log` runs code but contains no assert / expect / should call — it passes regardless of …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
erpnext/accounts/doctype/bank_transaction/test_bank_transaction_fees.py:19
· conf 1.00
[MINED106] Phantom test coverage: test_included_fee_allows_equal: Test function `test_included_fee_allows_equal` runs code but contains no assert / expect / should call — it passes regardless of beha…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
erpnext/accounts/doctype/bank_transaction/test_bank_transaction_fees.py:28
· conf 1.00
[MINED106] Phantom test coverage: test_included_fee_allows_for_deposit: Test function `test_included_fee_allows_for_deposit` runs code but contains no assert / expect / should call — it passes regard…MINED108
self.attribute used but never assigned in __init__
CWE-476
erpnext/accounts/custom/address.py:12
· conf 1.00
[MINED108] `self.validate_reference` used but never assigned in __init__: Method `validate` of class `ERPNextAddress` reads `self.validate_reference`, but no assignment to it exists in __init__ (and …MINED108
self.attribute used but never assigned in __init__
CWE-476
erpnext/accounts/custom/address.py:13
· conf 1.00
[MINED108] `self.update_company_address` used but never assigned in __init__: Method `validate` of class `ERPNextAddress` reads `self.update_company_address`, but no assignment to it exists in __init…MINED108
self.attribute used but never assigned in __init__
CWE-476
erpnext/accounts/custom/address.py:20
· conf 1.00
[MINED108] `self.is_your_company_address` used but never assigned in __init__: Method `link_address` of class `ERPNextAddress` reads `self.is_your_company_address`, but no assignment to it exists in …MINED108
self.attribute used but never assigned in __init__
CWE-476
erpnext/accounts/custom/address.py:26
· conf 1.00
[MINED108] `self.get` used but never assigned in __init__: Method `update_company_address` of class `ERPNextAddress` reads `self.get`, but no assignment to it exists in __init__ (and no class-level f…MINED108
self.attribute used but never assigned in __init__
CWE-476
erpnext/accounts/custom/address.py:28
· conf 1.00
[MINED108] `self.is_your_company_address` used but never assigned in __init__: Method `update_company_address` of class `ERPNextAddress` reads `self.is_your_company_address`, but no assignment to it …MINED108
self.attribute used but never assigned in __init__
CWE-476
erpnext/accounts/custom/address.py:31
· conf 1.00
[MINED108] `self.is_your_company_address` used but never assigned in __init__: Method `validate_reference` of class `ERPNextAddress` reads `self.is_your_company_address`, but no assignment to it exis…MINED108
self.attribute used but never assigned in __init__
CWE-476
erpnext/accounts/custom/address.py:31
· conf 1.00
[MINED108] `self.links` used but never assigned in __init__: Method `validate_reference` of class `ERPNextAddress` reads `self.links`, but no assignment to it exists in __init__ (and no class-level f…MINED108
self.attribute used but never assigned in __init__
CWE-476
erpnext/accounts/custom/address.py:47
· conf 1.00
[MINED108] `self.as_dict` used but never assigned in __init__: Method `on_update` of class `ERPNextAddress` reads `self.as_dict`, but no assignment to it exists in __init__ (and no class-level fallba…MINED108
self.attribute used but never assigned in __init__
CWE-476
erpnext/accounts/custom/address.py:48
· conf 1.00
[MINED108] `self.name` used but never assigned in __init__: Method `on_update` of class `ERPNextAddress` reads `self.name`, but no assignment to it exists in __init__ (and no class-level fallback). T…MINED108
self.attribute used but never assigned in __init__
CWE-476
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:116
· conf 1.00
[MINED108] `self.validate_auto_tax_settings` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.validate_auto_tax_settings`, but no assignment to it exists…MINED108
self.attribute used but never assigned in __init__
CWE-476
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:117
· conf 1.00
[MINED108] `self.get_doc_before_save` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.get_doc_before_save`, but no assignment to it exists in __init__ (…MINED108
self.attribute used but never assigned in __init__
CWE-476
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:120
· conf 1.00
[MINED108] `self.add_taxes_from_item_tax_template` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.add_taxes_from_item_tax_template`, but no assignment …MINED108
self.attribute used but never assigned in __init__
CWE-476
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:122
· conf 1.00
[MINED108] `self.get` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.get`, but no assignment to it exists in __init__ (and no class-level fallback). Th…MINED108
self.attribute used but never assigned in __init__
CWE-476
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:126
· conf 1.00
[MINED108] `self.enable_common_party_accounting` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.enable_common_party_accounting`, but no assignment to i…MINED108
self.attribute used but never assigned in __init__
CWE-476
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:128
· conf 1.00
[MINED108] `self.get` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.get`, but no assignment to it exists in __init__ (and no class-level fallback). Th…MINED108
self.attribute used but never assigned in __init__
CWE-476
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:132
· conf 1.00
[MINED108] `self.validate_stale_days` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.validate_stale_days`, but no assignment to it exists in __init__ (…MINED108
self.attribute used but never assigned in __init__
CWE-476
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:134
· conf 1.00
[MINED108] `self.show_payment_schedule_in_print` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.show_payment_schedule_in_print`, but no assignment to i…MINED108
self.attribute used but never assigned in __init__
CWE-476
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:135
· conf 1.00
[MINED108] `self.enable_payment_schedule_in_print` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.enable_payment_schedule_in_print`, but no assignment …MINED108
self.attribute used but never assigned in __init__
CWE-476
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:137
· conf 1.00
[MINED108] `self.enable_accounting_dimensions` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.enable_accounting_dimensions`, but no assignment to it ex…MINED108
self.attribute used but never assigned in __init__
CWE-476
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:138
· conf 1.00
[MINED108] `self.enable_accounting_dimensions` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.enable_accounting_dimensions`, but no assignment to it ex…MINED108
self.attribute used but never assigned in __init__
CWE-476
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:141
· conf 1.00
[MINED108] `self.enable_discounts_and_margin` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.enable_discounts_and_margin`, but no assignment to it exis…MINED108
self.attribute used but never assigned in __init__
CWE-476
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:145
· conf 1.00
[MINED108] `self.enable_loyalty_point_program` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.enable_loyalty_point_program`, but no assignment to it ex…MINED108
self.attribute used but never assigned in __init__
CWE-476
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:149
· conf 1.00
[MINED108] `self.enable_subscription` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.enable_subscription`, but no assignment to it exists in __init__ (…MINED108
self.attribute used but never assigned in __init__
CWE-476
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:156
· conf 1.00
[MINED108] `self.validate_and_sync_auto_reconcile_config` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.validate_and_sync_auto_reconcile_config`, but …MINED108
self.attribute used but never assigned in __init__
CWE-476
erpnext/accounts/doctype/accounts_settings/accounts_settings.py:157
· conf 1.00
[MINED108] `self.update_property_for_accounting_dimension` used but never assigned in __init__: Method `validate` of class `AccountsSettings` reads `self.update_property_for_accounting_dimension`, bu…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docs-checker.yml:16
· conf 0.90
[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docs-checker.yml:21
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/generate-pot-file.yml:24
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/generate-pot-file.yml:29
· conf 0.90
[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/generate-pot-file.yml:34
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/label-base-on-title.yml:15
· conf 0.90
[MINED115] Action `actions/github-script` pinned to mutable ref `@v7`: `uses: actions/github-script@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that mad…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/labeller.yml:14
· conf 0.90
[MINED115] Action `actions/labeler` pinned to mutable ref `@v3`: `uses: actions/labeler@v3` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-act…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/patch.yml:41
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/patch.yml:52
· conf 0.90
[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/patch.yml:60
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/patch.yml:69
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/patch.yml:78
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/patch.yml:92
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/run-individual-tests.yml:20
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/run-individual-tests.yml:76
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/run-individual-tests.yml:79
· conf 0.90
[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/run-individual-tests.yml:84
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/run-individual-tests.yml:93
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/run-individual-tests.yml:102
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/run-individual-tests.yml:116
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v4`: `uses: actions/cache@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/semantic-commits.yml:18
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/semantic-commits.yml:21
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/server-tests-postgres.yml:50
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/server-tests-postgres.yml:53
· conf 0.90
[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/server-tests-postgres.yml:66
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/docker-release.yml:13
· conf 0.90
[MINED126] Workflow container/services image `alpine:latest` unpinned: `container/services image: alpine:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow contain…MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/patch.yml:32
· conf 0.90
[MINED126] Workflow container/services image `mariadb:11.8` unpinned: `container/services image: mariadb:11.8` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container…MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/run-individual-tests.yml:67
· conf 0.90
[MINED126] Workflow container/services image `mariadb:10.6` unpinned: `container/services image: mariadb:10.6` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container…MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/server-tests-mariadb.yml:58
· conf 0.90
[MINED126] Workflow container/services image `mariadb:10.6` unpinned: `container/services image: mariadb:10.6` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow container…MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/server-tests-postgres.yml:36
· conf 0.90
[MINED126] Workflow container/services image `postgres:13.3` unpinned: `container/services image: postgres:13.3` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow contain…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
.github/helper/documentation.py:18
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC078
Python: requests without timeout
.github/helper/documentation.py:44
· conf 1.00
[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
erpnext/accounts/doctype/account_closing_balance/account_closing_balance.py:56
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
erpnext/accounts/doctype/accounting_dimension/accounting_dimension.js:52
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
erpnext/__init__.py:64
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…AUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.CFG006
[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.
[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
erpnext/accounts/doctype/account/chart_of_accounts/chart_of_accounts.py:102
· conf 0.95
[COMP001] High cognitive complexity: Function `get_chart` has cognitive complexity 20 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested br…ERR001
[ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
erpnext/accounts/doctype/bank_transaction_rule/bank_transaction_rule.py:117
· conf 1.00
[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.MINED111
Bare except continues silently
erpnext/accounts/doctype/bank_statement_import/bank_statement_import.py:162
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.SEC015
Insecure Randomness for Security
erpnext/accounts/doctype/account_closing_balance/account_closing_balance.py:93
· conf 1.00
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
banking/src/components/common/LinkFieldCombobox.tsx:246
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
banking/src/pages/BankStatementImporter.tsx:237
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
erpnext/accounts/doctype/bank_statement_import_log/bank_statement_import_log.js:8
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…AIC003
Duplicated implementation block across source files
banking/src/components/features/BankReconciliation/MatchAndReconcile.tsx:137
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
banking/src/components/features/BankReconciliation/Rules/RuleForm.tsx:444
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
banking/src/components/features/BankReconciliation/TransferModal.tsx:180
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
banking/src/components/ui/select.tsx:24
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
banking/src/components/ui/textarea.tsx:12
· conf 0.86
Duplicated implementation block across source filesCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
erpnext/accounts/dashboard_chart_source/account_balance_timeline/account_balance_timeline.py:15
· conf 0.95
[COMP001] High cognitive complexity: Function `get` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
erpnext/accounts/dashboard_chart_source/account_balance_timeline/account_balance_timeline.py:70
· conf 0.95
[COMP001] High cognitive complexity: Function `build_result` has cognitive complexity 12 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested…MINED043
Http Not Https
CWE-319
banking/proxyOptions.ts:10
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
erpnext/accounts/doctype/bank/bank.js:116
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
banking/src/components/ui/dropdown-menu.tsx:63
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED050
Stub Only Function
CWE-1188
erpnext/accounts/doctype/account_closing_balance/account_closing_balance.py:42
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
erpnext/accounts/doctype/accounting_dimension_detail/accounting_dimension_detail.py:29
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
erpnext/accounts/doctype/accounting_period/accounting_period.py:11
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED052
Ts Any Typed
CWE-704
banking/src/hooks/useDocType.ts:15
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED056
React Key As Index
CWE-682
banking/src/components/features/BankStatementImporter/CSV/CSVRawDataPreview.tsx:41
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED056
React Key As Index
CWE-682
banking/src/components/ui/error-banner.tsx:44
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED056
React Key As Index
CWE-682
banking/src/components/ui/loaders.tsx:9
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED058
React Dangerously Set Html
CWE-79
banking/src/components/features/BankReconciliation/IncorrectlyClearedEntries.tsx:184
· conf 1.00
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.MINED067
Python Requests No Timeout
CWE-400
.github/helper/documentation.py:44
· conf 1.00
[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.MINED072
Python Pass Only Class
CWE-1188
erpnext/accounts/doctype/accounting_period/accounting_period.py:10
· conf 1.00
[MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/7bfa3179-7646-4f6c-9965-6c3558bc8cc9/.