https://github.com/13145125121/BotTG.git ·
lang: typescript ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
MINED113 Express POST/PUT/DELETE/PATCH route without auth |
high | 25 |
JRN003 Frontend API reference is not matched by discovered backend… |
medium | 15 |
MINED111 Bare except continues silently |
medium | 13 |
AUC009 [AUC009] Sensitive function route lacks elevated authorizat… |
medium | 10 |
AUC003 [AUC003] Object-level route lacks visible authorization: A … |
high | 10 |
MINED108 self.attribute used but never assigned in __init__ |
high | 10 |
AUC004 [AUC004] Admin route does not show super_admin separation: … |
medium | 10 |
MINED054 Ts As Any |
info | 4 |
SEC085 JS: child_process.exec with non-literal |
high | 4 |
MINED067 Python Requests No Timeout |
info | 4 |
AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
server/routes/setupBotManagementRoutes.ts:35
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
server/routes/setupBotManagementRoutes.ts:36
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
server/routes/setupBotManagementRoutes.ts:37
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
server/routes/setupBotManagementRoutes.ts:38
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
server/routes/setupBotManagementRoutes.ts:39
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
server/routes/setupBotManagementRoutes.ts:40
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
server/routes/setupBotManagementRoutes.ts:41
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
server/routes/setupBotManagementRoutes.ts:42
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
server/routes/setupProjectRoutes.ts:44
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
server/routes/setupProjectRoutes.ts:45
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
scripts/add_set_variable_test_nodes.py:93
· conf 0.95
[COMP001] High cognitive complexity: Function `main` has cognitive complexity 27 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branche…JRN009
Secret-like setting is echoed into a password input value
client/components/editor/bot/card/BotUserbotSettings.tsx:345
· conf 0.83
Secret-like setting is echoed into a password input valueJRN009
Secret-like setting is echoed into a password input value
client/components/editor/properties/components/configuration/psql-connection-section.tsx:294
· conf 0.83
Secret-like setting is echoed into a password input valueJRN009
Secret-like setting is echoed into a password input value
client/components/editor/telegram-client/components/qr-password-step-view.tsx:54
· conf 0.83
Secret-like setting is echoed into a password input valueMINED001
Bare Except Pass
CWE-755
tools/generate_tree_json.py:49
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED004
Weak Crypto
CWE-327
server/utils/seed-templates.ts:43
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED014
Disabled Tls Verify
CWE-295
scripts/init-db.ts:20
· conf 1.00
[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go.MINED014
Disabled Tls Verify
CWE-295
scripts/migrate.ts:18
· conf 1.00
[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go.MINED014
Disabled Tls Verify
CWE-295
server/database/db.ts:49
· conf 1.00
[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go.MINED099
Hardcoded Secret
CWE-798
scripts/force-push.sh:38
· conf 1.00
[MINED099] Hardcoded Secret: API key, AWS access key, GitHub token, Slack token, OpenAI key, or private key embedded directly in source. AI assistants frequently leak demo credentials.MINED108
self.attribute used but never assigned in __init__
CWE-476
server/python/worker.py:44
· conf 1.00
[MINED108] `self.format` used but never assigned in __init__: Method `emit` of class `WorkerLogHandler` reads `self.format`, but no assignment to it exists in __init__ (and no class-level fallback). …MINED108
self.attribute used but never assigned in __init__
CWE-476
server/python/worker.py:116
· conf 1.00
[MINED108] `self._start_bot` used but never assigned in __init__: Method `handle_command` of class `BotWorker` reads `self._start_bot`, but no assignment to it exists in __init__ (and no class-level …MINED108
self.attribute used but never assigned in __init__
CWE-476
server/python/worker.py:118
· conf 1.00
[MINED108] `self._stop_bot` used but never assigned in __init__: Method `handle_command` of class `BotWorker` reads `self._stop_bot`, but no assignment to it exists in __init__ (and no class-level fa…MINED108
self.attribute used but never assigned in __init__
CWE-476
server/python/worker.py:120
· conf 1.00
[MINED108] `self._emit_status` used but never assigned in __init__: Method `handle_command` of class `BotWorker` reads `self._emit_status`, but no assignment to it exists in __init__ (and no class-le…MINED108
self.attribute used but never assigned in __init__
CWE-476
server/python/worker.py:122
· conf 1.00
[MINED108] `self._shutdown` used but never assigned in __init__: Method `handle_command` of class `BotWorker` reads `self._shutdown`, but no assignment to it exists in __init__ (and no class-level fa…MINED108
self.attribute used but never assigned in __init__
CWE-476
server/python/worker.py:141
· conf 1.00
[MINED108] `self._stop_bot` used but never assigned in __init__: Method `_start_bot` of class `BotWorker` reads `self._stop_bot`, but no assignment to it exists in __init__ (and no class-level fallba…MINED108
self.attribute used but never assigned in __init__
CWE-476
server/python/worker.py:150
· conf 1.00
[MINED108] `self._run_bot` used but never assigned in __init__: Method `_start_bot` of class `BotWorker` reads `self._run_bot`, but no assignment to it exists in __init__ (and no class-level fallback…MINED108
self.attribute used but never assigned in __init__
CWE-476
server/python/worker.py:306
· conf 1.00
[MINED108] `self._stop_bot` used but never assigned in __init__: Method `_shutdown` of class `BotWorker` reads `self._stop_bot`, but no assignment to it exists in __init__ (and no class-level fallbac…MINED108
self.attribute used but never assigned in __init__
CWE-476
server/python/worker.py:349
· conf 1.00
[MINED108] `self.handle_command` used but never assigned in __init__: Method `run` of class `BotWorker` reads `self.handle_command`, but no assignment to it exists in __init__ (and no class-level fal…MINED108
self.attribute used but never assigned in __init__
CWE-476
server/python/worker.py:362
· conf 1.00
[MINED108] `self._shutdown` used but never assigned in __init__: Method `run` of class `BotWorker` reads `self._shutdown`, but no assignment to it exists in __init__ (and no class-level fallback). Th…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
server/routes/setupAuthRoutes.ts:28
· conf 0.80
[MINED113] Express POST /api/auth/telegram has no auth: Express route POST /api/auth/telegram declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on …MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
server/routes/setupAuthRoutes.ts:30
· conf 0.80
[MINED113] Express POST /api/auth/telegram/miniapp has no auth: Express route POST /api/auth/telegram/miniapp declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/D…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
server/routes/setupAuthRoutes.ts:31
· conf 0.80
[MINED113] Express POST /api/auth/dev-login has no auth: Express route POST /api/auth/dev-login declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) o…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
server/routes/setupBotIntegrationRoutes.ts:94
· conf 0.80
[MINED113] Express POST /api/projects/:projectId/files has no auth: Express route POST /api/projects/:projectId/files declared without an auth middleware in its handler chain. Destructive methods (PO…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
server/routes/setupBotIntegrationRoutes.ts:105
· conf 0.80
[MINED113] Express DELETE /api/projects/:projectId/files has no auth: Express route DELETE /api/projects/:projectId/files declared without an auth middleware in its handler chain. Destructive methods…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
server/routes/setupBotManagementRoutes.ts:38
· conf 0.80
[MINED113] Express POST /api/projects/:id/bot/start has no auth: Express route POST /api/projects/:id/bot/start declared without an auth middleware in its handler chain. Destructive methods (POST/PUT…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
server/routes/setupBotManagementRoutes.ts:39
· conf 0.80
[MINED113] Express POST /api/projects/:id/bot/stop has no auth: Express route POST /api/projects/:id/bot/stop declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/D…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
server/routes/setupBotManagementRoutes.ts:40
· conf 0.80
[MINED113] Express POST /api/projects/:id/bot/restart has no auth: Express route POST /api/projects/:id/bot/restart declared without an auth middleware in its handler chain. Destructive methods (POST…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
server/routes/setupBotManagementRoutes.ts:41
· conf 0.80
[MINED113] Express POST /api/projects/:id/bot/restart-all has no auth: Express route POST /api/projects/:id/bot/restart-all declared without an auth middleware in its handler chain. Destructive metho…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
server/routes/setupBotManagementRoutes.ts:42
· conf 0.80
[MINED113] Express DELETE /api/projects/:projectId/tokens/:tokenId/logs has no auth: Express route DELETE /api/projects/:projectId/tokens/:tokenId/logs declared without an auth middleware in its hand…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
server/routes/setupGithubPushRoute.ts:24
· conf 0.80
[MINED113] Express POST /api/push-to-github has no auth: Express route POST /api/push-to-github declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) o…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
server/routes/setupProjectRoutes.ts:47
· conf 0.80
[MINED113] Express POST /api/projects has no auth: Express route POST /api/projects declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenti…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
server/routes/setupProjectRoutes.ts:48
· conf 0.80
[MINED113] Express PUT /api/projects/reorder has no auth: Express route PUT /api/projects/reorder declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH)…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
server/routes/setupProjectRoutes.ts:49
· conf 0.80
[MINED113] Express PUT /api/projects/:id has no auth: Express route PUT /api/projects/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unau…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
server/routes/setupProjectRoutes.ts:55
· conf 0.80
[MINED113] Express POST /api/projects/:id/export has no auth: Express route POST /api/projects/:id/export declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELET…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
server/routes/setupProjectRoutes.ts:58
· conf 0.80
[MINED113] Express POST /api/projects/:id/generate has no auth: Express route POST /api/projects/:id/generate declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/D…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
server/routes/setupProjectRoutes.ts:62
· conf 0.80
[MINED113] Express DELETE /api/projects/:id/token has no auth: Express route DELETE /api/projects/:id/token declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DEL…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
server/routes/setupProjectRoutes.ts:65
· conf 0.80
[MINED113] Express POST /api/settings/comments-generation has no auth: Express route POST /api/settings/comments-generation declared without an auth middleware in its handler chain. Destructive metho…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
server/routes/setupProjectRoutes.ts:73
· conf 0.80
[MINED113] Express POST /api/projects/:id/export-to-google-sheets has no auth: Express route POST /api/projects/:id/export-to-google-sheets declared without an auth middleware in its handler chain. D…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
server/routes/setupProjectRoutes.ts:74
· conf 0.80
[MINED113] Express POST /api/projects/:id/export-structure-to-google-sheets has no auth: Express route POST /api/projects/:id/export-structure-to-google-sheets declared without an auth middleware in …MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
server/routes/setupProjectRoutes.ts:77
· conf 0.80
[MINED113] Express POST /api/media/upload-from-url has no auth: Express route POST /api/media/upload-from-url declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/D…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
server/routes/setupProjectRoutes.ts:80
· conf 0.80
[MINED113] Express POST /api/bot-folders/cleanup has no auth: Express route POST /api/bot-folders/cleanup declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELET…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
server/routes/setupUserTemplateRoutes.ts:25
· conf 0.80
[MINED113] Express POST /api/user/templates has no auth: Express route POST /api/user/templates declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) o…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
server/routes/setupUserTemplateRoutes.ts:26
· conf 0.80
[MINED113] Express PATCH /api/user/templates/:id has no auth: Express route PATCH /api/user/templates/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELET…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
server/routes/setupUserTemplateRoutes.ts:27
· conf 0.80
[MINED113] Express DELETE /api/user/templates/:id has no auth: Express route DELETE /api/user/templates/:id declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DEL…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/build-tree.yml:16
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Dockerfile:5
· conf 0.90
[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is …MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Dockerfile:18
· conf 0.90
[MINED118] Dockerfile FROM `node:20-alpine` not pinned by digest: `FROM node:20-alpine` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is …SEC004
SQL Injection Risk
tools/_check_db.py:17
· conf 0.50
[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.SEC004
SQL Injection Risk
tools/_check_orphans.py:38
· conf 0.50
[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.SEC004
SQL Injection Risk
tools/_list_tables.py:9
· conf 0.50
[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.SEC020
Secret Printed to Logs
scripts/auto-push-github.ts:92
· conf 0.85
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
scripts/fetch-bot-avatar.ts:36
· conf 0.85
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
scripts/fetch-user-avatars.ts:35
· conf 0.85
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…AGT007
localStorage write failures are swallowed silently
client/components/editor/canvas/canvas/zoom-controls.tsx:89
· conf 0.80
localStorage write failures are swallowed silentlyAUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.AUC002
[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
[AUC002] Low visible authorization coverage in route inventory: Only 14.5% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
server/routes/setupBotIntegrationRoutes.ts:197
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
server/routes/setupBotIntegrationRoutes.ts:200
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
server/routes/setupBotIntegrationRoutes.ts:201
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
server/routes/setupProjectRoutes.ts:62
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
server/routes/setupProjectRoutes.ts:65
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
server/routes/setupProjectRoutes.ts:68
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
server/routes/setupProjectRoutes.ts:69
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
server/routes/setupProjectRoutes.ts:70
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
server/routes/setupProjectRoutes.ts:73
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
server/routes/setupProjectRoutes.ts:74
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
server/routes/setupBotManagementRoutes.ts:32
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
server/routes/setupBotManagementRoutes.ts:35
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
server/routes/setupBotManagementRoutes.ts:36
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
server/routes/setupBotManagementRoutes.ts:37
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
server/routes/setupBotManagementRoutes.ts:38
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
server/routes/setupBotManagementRoutes.ts:39
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
server/routes/setupBotManagementRoutes.ts:40
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
server/routes/setupBotManagementRoutes.ts:41
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
server/routes/setupBotManagementRoutes.ts:42
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
server/routes/setupProjectRoutes.ts:42
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
scripts/add_reload_token_node.py:16
· conf 0.95
[COMP001] High cognitive complexity: Function `main` has cognitive complexity 15 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branche…DKR001
Docker final stage has no non-root USER
Dockerfile:18
· conf 0.82
Docker final stage has no non-root USERDKR014
Dockerfile copies the entire context without .dockerignore
Dockerfile:14
· conf 0.76
Dockerfile copies broad context with incomplete .dockerignoreERR001
[ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
tools/generate_tree_json.py:49
· conf 1.00
[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
client/components/editor/bot/profile/use-admin-ids.ts:72
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
server/redis/redisClient.ts:63
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
server/redis/redisPlatformSubscriber.ts:164
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.JRN003
Frontend API reference is not matched by discovered backend routes
client/App.tsx:187
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
client/App.tsx:188
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
client/App.tsx:192
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
client/components/editor/bot/bot-control.tsx:279
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
client/components/editor/bot/token/TokenDisplayEdit.tsx:59
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
client/components/editor/bot/token/useTokenUpdate.ts:71
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
client/components/editor/code/hooks/use-code-generator.ts:64
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
client/components/editor/code/panel/CodePanel.tsx:113
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
client/components/editor/database/dialog/dialog-panel.tsx:102
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
client/components/editor/database/dialog/hooks/use-delete-message.ts:62
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
client/components/editor/database/dialog/hooks/use-edit-message.ts:74
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
client/components/editor/database/user-database/hooks/mutations/use-send-message.ts:45
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
client/components/editor/database/user-details/components/PanelHeader.tsx:47
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
client/components/editor/google-sheets/GoogleSheetsExportButton.tsx:171
· conf 0.74
Frontend API reference is not matched by discovered backend routesJRN003
Frontend API reference is not matched by discovered backend routes
client/components/editor/groups/groups-panel.tsx:646
· conf 0.74
Frontend API reference is not matched by discovered backend routesMINED111
Bare except continues silently
scripts/check_db_queries.py:36
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
scripts/check_db_queries.py:117
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
scripts/check_db_queries.py:142
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
scripts/check_db_queries.py:174
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
scripts/utils/update_bot_project_data.py:25
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
scripts/utils/update_bot_project_data.py:128
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
server/bots/userbotAuth.py:126
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
server/python/worker.py:58
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
server/python/worker.py:356
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tools/_check_apis2.py:55
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tools/_check_db.py:20
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tools/generate_tree_json.py:31
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tools/generate_tree_json.py:91
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.SEC001
Hardcoded Password
scripts/fix_texts_encoding.py:18
· conf 0.30
[SEC001] Hardcoded Password: Hardcoded password found in source code.SEC014
SSL Verification Disabled
tools/_check_apis2.py:12
· conf 1.00
[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
client/components/editor/google-sheets/GoogleSheetsExportButton.tsx:181
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
client/components/editor/header/hooks/use-telegram-login.ts:147
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
client/components/editor/telegram-client/components/api-credentials-form.tsx:87
· conf 1.00
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer": <a target="_blank"> without rel="noopener noreferrer" leaks window.opener to the opened page. The opened page can then run win…SEC042
SQL identifier injection via f-string in cursor execute
tools/inspect_db.py:25
· conf 1.00
[SEC042] SQL identifier injection via f-string in cursor execute: f-string SQL normalizes an unsafe pattern. Currently safe when only trusted internal values are interpolated (e.g. self._table in Odo…SEC045
eval()/exec() on stored or user-supplied data
client/components/editor/sidebar/hooks/useImportExport.ts:106
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
client/components/editor/sidebar/parsePythonCodeToJson.ts:44
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
scripts/find-unused-ts.mjs:45
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC087
JS: weak Math.random for crypto
client/components/editor/properties/components/common/key-value-editor.tsx:52
· conf 1.00
[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…WEB003
Public web service has no security.txt
.well-known/security.txt
· conf 0.78
Public web service has no security.txtWEB015
Public web app has no Content Security Policy
index.html
· conf 0.70
Public web app has no Content Security PolicyCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
scripts/check_db_queries.py:21
· conf 0.95
[COMP001] High cognitive complexity: Function `run_checks` has cognitive complexity 14 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested b…DKC006
Compose service does not declare a runtime user
docker-compose.yml:31
· conf 0.56
Compose service does not declare a runtime userDKC010
Compose service lacks no-new-privileges hardening
docker-compose.yml:31
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC015
Database service has no healthcheck
docker-compose.yml:22
· conf 0.72
Database service has no healthcheckDKC016
App service does not wait for database health
docker-compose.yml:31
· conf 0.68
App service does not wait for database healthDKC017
Database password is wired through an environment variable placeholder
docker-compose.yml:6
· conf 0.58
Database password is wired through an environment variable placeholderDKR008
.dockerignore misses sensitive defaults
.dockerignore
· conf 0.72
.dockerignore misses sensitive defaultsSEC006
XSS Risk
client/components/editor/inline-rich/hooks/useCodeLanguage.ts:133
· conf 0.40
[SEC006] XSS Risk: Direct HTML injection without sanitization.SEC006
XSS Risk
client/components/editor/inline-rich/hooks/useEditorSync.ts:95
· conf 0.40
[SEC006] XSS Risk: Direct HTML injection without sanitization.SEC132
String concat where the language has interpolation (AI style drift)
scripts/auto-push-github.ts:25
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…SEC132
String concat where the language has interpolation (AI style drift)
scripts/sync-github.ts:25
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…WEB001
Public web app has no robots.txt
robots.txt
· conf 0.74
Public web app has no robots.txtWEB002
Public web app has no sitemap
sitemap.xml
· conf 0.72
Public web app has no sitemapWEB008
Public docs site has no llms.txt
llms.txt
· conf 0.64
Public docs site has no llms.txtWEB011
Public web app has no humans.txt
humans.txt
· conf 0.50
Public web app has no humans.txtCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
[COMP001] High cognitive complexity (and 29 more): Same pattern found in 29 additional files. Review if needed.MINED007
Sql String Concat
CWE-89
[MINED007] Sql String Concat (and 5 more): Same pattern found in 5 additional files. Review if needed.MINED014
Disabled Tls Verify
CWE-295
[MINED014] Disabled Tls Verify (and 1 more): Same pattern found in 1 additional files. Review if needed.MINED043
Http Not Https
CWE-319
[MINED043] Http Not Https (and 2 more): Same pattern found in 2 additional files. Review if needed.MINED043
Http Not Https
CWE-319
client/components/editor/database/responses-table/components/response-photo.tsx:142
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
client/components/editor/database/responses-table/components/response-row.tsx:83
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
client/components/editor/database/user-database/components/details/response-media.tsx:180
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 297 more): Same pattern found in 297 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
client/App.tsx:177
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
client/components/editor/bot/profile/BotProfileEditor.tsx:79
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
client/components/ErrorBoundary.tsx:24
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
[MINED045] Ts Non Null Assertion (and 39 more): Same pattern found in 39 additional files. Review if needed.MINED045
Ts Non Null Assertion
CWE-476
client/components/editor/bot/bot-control.tsx:162
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
client/components/editor/bot/contexts/ActiveTerminalsContext.tsx:118
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
client/components/editor/broadcast/wizard/step-confirm.tsx:77
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED049
Print Pii
CWE-532
[MINED049] Print Pii (and 29 more): Same pattern found in 29 additional files. Review if needed.MINED049
Print Pii
CWE-532
client/components/editor/terminal/use-terminal-websocket.ts:127
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED049
Print Pii
CWE-532
scripts/add_reload_token_node.py:30
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED049
Print Pii
CWE-532
scripts/auto-push-github.ts:92
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED050
Stub Only Function
CWE-1188
tools/generate_tree_json.py:50
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED052
Ts Any Typed
CWE-704
[MINED052] Ts Any Typed (and 238 more): Same pattern found in 238 additional files. Review if needed.MINED052
Ts Any Typed
CWE-704
client/components/editor/bot/add-bot/AddBotDialogActions.tsx:19
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
client/components/editor/bot/add-bot/AddBotDialog.tsx:49
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
client/components/editor/bot/add-bot/AddBotTokenInput.tsx:16
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED053
Placeholder Default Username
CWE-1392CWE-798
client/components/editor/properties/components/configuration/user-management-configuration.tsx:14
· conf 1.00
[MINED053] Placeholder Default Username: [email protected] / [email protected] / admin/admin / changeme — typical AI placeholder credentials.MINED054
Ts As Any
CWE-704
[MINED054] Ts As Any (and 161 more): Same pattern found in 161 additional files. Review if needed.MINED054
Ts As Any
CWE-704
client/components/editor/analytics/analytics-sources-chart.tsx:191
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
client/components/editor/app-sidebar/components/sidebar-footer.tsx:59
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
client/components/editor/canvas/canvas-node/answer-callback-query-preview.tsx:21
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED056
React Key As Index
CWE-682
[MINED056] React Key As Index (and 34 more): Same pattern found in 34 additional files. Review if needed.MINED056
React Key As Index
CWE-682
client/components/editor/analytics/analytics-sources-chart.tsx:65
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED056
React Key As Index
CWE-682
client/components/editor/bot/panel/BotControlPanelLoading.tsx:18
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED056
React Key As Index
CWE-682
client/components/editor/broadcast/broadcast-panel.tsx:118
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED058
React Dangerously Set Html
CWE-79
client/components/ui/chart.tsx:81
· conf 1.00
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.MINED063
Toctou Os Path Exists
CWE-367
tools/check_tables.py:11
· conf 1.00
[MINED063] Toctou Os Path Exists: if os.path.exists(p): open(p) — file can be replaced/deleted between check and use.MINED064
Python Input Call
scripts/utils/validate.py:3
· conf 1.00
[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.MINED067
Python Requests No Timeout
CWE-400
[MINED067] Python Requests No Timeout (and 7 more): Same pattern found in 7 additional files. Review if needed.MINED067
Python Requests No Timeout
CWE-400
tools/_add_casper_159.py:181
· conf 1.00
[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.MINED067
Python Requests No Timeout
CWE-400
tools/_add_crazybtc_159.py:216
· conf 1.00
[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.MINED067
Python Requests No Timeout
CWE-400
tools/_add_cryptoflow_159.py:223
· conf 1.00
[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.MINED074
Ai Tell Fake Citation
client/components/editor/properties/components/configuration/http-curl-import.tsx:113
· conf 1.00
[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination.SEC004
SQL Injection Risk
[SEC004] SQL Injection Risk (and 5 more): Same pattern found in 5 additional files. Review if needed.SEC020
Secret Printed to Logs
[SEC020] Secret Printed to Logs (and 33 more): Same pattern found in 33 additional files. Review if needed.SEC022
Database URL With Embedded Credential
[SEC022] Database URL With Embedded Credential (and 9 more): Same pattern found in 9 additional files. Review if needed.SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 35 more): Same pattern found in 35 additional files. Review if needed.SEC041
Tabnabbing — target="_blank" without rel="noopener noreferrer"
[SEC041] Tabnabbing — target="_blank" without rel="noopener noreferrer" (and 1 more): Same pattern found in 1 additional files. Review if needed.SEC078
Python: requests without timeout
[SEC078] Python: requests without timeout (and 7 more): Same pattern found in 7 additional files. Review if needed.SEC085
JS: child_process.exec with non-literal
[SEC085] JS: child_process.exec with non-literal (and 2 more): Same pattern found in 2 additional files. Review if needed.SEC120
Hardcoded HMAC key or JWT signing secret
server/routes/auth/handlers/miniAppAuthHandler.ts:29
· conf 0.10
[SEC120] Hardcoded HMAC key or JWT signing secret: JWT/HMAC signing secret hardcoded in source. Anyone with source access can forge tokens; secret leaks via git history.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 31 more): Same pattern found in 31 additional files. Review if needed.SEC135
Auth/permission check missing on AI-generated endpoint
server/routes/setupWebhookRoutes.ts:37
· conf 0.10
[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/82a13e96-2f14-4509-b156-00a97ca752ff/.