https://github.com/opentoonz/opentoonz.git ·
lang: c ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
AIC003 Duplicated implementation block across source files |
low | 30 |
MINED134 [MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` c… |
high | 25 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 10 |
SEC128 Async function without await — fire-and-forget Promise (AI … |
high | 4 |
MINED022 C Strcpy |
critical | 4 |
MINED042 Cpp New Without Delete |
info | 4 |
SEC085 JS: child_process.exec with non-literal |
high | 4 |
SEC045 eval()/exec() on stored or user-supplied data |
medium | 4 |
MINED080 Cpp Using Namespace Std |
info | 4 |
MINED043 Http Not Https |
info | 4 |
MINED022
C Strcpy
CWE-120
toonz/sources/common/twain/ttwain_error.c:112
· conf 1.00
[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf.MINED022
C Strcpy
CWE-120
toonz/sources/common/twain/ttwain_stateW.c:29
· conf 1.00
[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf.MINED022
C Strcpy
CWE-120
toonz/sources/image/tzp/infoplt.c:42
· conf 1.00
[MINED022] C Strcpy: strcpy/strcat dont bounds-check; use strncpy or snprintf.MINED017
C System Call
CWE-78
toonz/sources/toonz/history.cpp:27
· conf 1.00
[MINED017] C System Call: system() invokes shell. command injection if any arg is dynamic.MINED104
Chmod 777
CWE-732CWE-276
toonz/install/copy_plugin.sh:81
· conf 1.00
[MINED104] Chmod 777: chmod 777 makes a file or directory world-readable, world-writable, AND world-executable. Local privilege escalation surface; audit-failing for most compliance frameworks.MINED106
Phantom test coverage (assertion-free test)
CWE-1126
thirdparty/kiss_fft/test/testkiss.py:71
· conf 1.00
[MINED106] Phantom test coverage: test_fft: Test function `test_fft` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifying …MINED108
self.attribute used but never assigned in __init__
CWE-476
toonz/sources/toonz/toonz_qrc_validator.py:41
· conf 1.00
[MINED108] `self._validate_path` used but never assigned in __init__: Method `validate_paths` of class `QrcValidator` reads `self._validate_path`, but no assignment to it exists in __init__ (and no c…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/workflow_linux.yml:35
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/workflow_linux.yml:44
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/workflow_linux.yml:110
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/workflow_macos.yml:33
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/workflow_macos.yml:74
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/workflow_macos.yml:139
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/workflow_windows.yml:43
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/workflow_windows.yml:50
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/workflow_windows.yml:87
· conf 0.90
[MINED115] Action `microsoft/setup-msbuild` pinned to mutable ref `@v2`: `uses: microsoft/setup-msbuild@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/workflow_windows.yml:154
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1c_s1.o:1
· conf 0.90
[MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1c_s1.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1c_s1.o` is a .o binary (521 bytes) committed to a re…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1c_s2.o:1
· conf 0.90
[MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1c_s2.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1c_s2.o` is a .o binary (707 bytes) committed to a re…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1f_f1.o:1
· conf 0.90
[MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1f_f1.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1f_f1.o` is a .o binary (563 bytes) committed to a re…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1f_f2.o:1
· conf 0.90
[MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1f_f2.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1f_f2.o` is a .o binary (685 bytes) committed to a re…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_f1.o:1
· conf 0.90
[MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_f1.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_f1.o` is a .o binary (691 bytes) committed to a re…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_f2.o:1
· conf 0.90
[MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_f2.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_f2.o` is a .o binary (941 bytes) committed to a re…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_s1.o:1
· conf 0.90
[MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_s1.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_s1.o` is a .o binary (713 bytes) committed to a re…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_s2.o:1
· conf 0.90
[MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_s2.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1x_s2.o` is a .o binary (979 bytes) committed to a re…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_f1.o:1
· conf 0.90
[MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_f1.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_f1.o` is a .o binary (691 bytes) committed to a re…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_f2.o:1
· conf 0.90
[MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_f2.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_f2.o` is a .o binary (941 bytes) committed to a re…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_s1.o:1
· conf 0.90
[MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_s1.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_s1.o` is a .o binary (713 bytes) committed to a re…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_s2.o:1
· conf 0.90
[MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_s2.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/coff32/lzo1y_s2.o` is a .o binary (979 bytes) committed to a re…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
thirdparty/lzo/2.03/asm/i386/obj/elf32/lzo1c_s2.o:1
· conf 0.90
[MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/elf32/lzo1c_s2.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/elf32/lzo1c_s2.o` is a .o binary (954 bytes) committed to a repo…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
thirdparty/lzo/2.03/asm/i386/obj/elf32/lzo1x_f1.o:1
· conf 0.90
[MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/elf32/lzo1x_f1.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/elf32/lzo1x_f1.o` is a .o binary (938 bytes) committed to a repo…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
thirdparty/lzo/2.03/asm/i386/obj/elf32/lzo1y_s2.o:1
· conf 0.90
[MINED134] Binary file `thirdparty/lzo/2.03/asm/i386/obj/elf32/lzo1y_s2.o` committed in source repo: `thirdparty/lzo/2.03/asm/i386/obj/elf32/lzo1y_s2.o` is a .o binary (1,226 bytes) committed to a re…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
thirdparty/lzo/2.03/dict.exe:1
· conf 0.90
[MINED134] Binary file `thirdparty/lzo/2.03/dict.exe` committed in source repo: `thirdparty/lzo/2.03/dict.exe` is a .exe binary (19,968 bytes) committed to a repo that otherwise has 4073 source files…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
thirdparty/lzo/2.03/lzopack.exe:1
· conf 0.90
[MINED134] Binary file `thirdparty/lzo/2.03/lzopack.exe` committed in source repo: `thirdparty/lzo/2.03/lzopack.exe` is a .exe binary (24,576 bytes) committed to a repo that otherwise has 4073 source…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
thirdparty/lzo/2.03/lzotest.exe:1
· conf 0.90
[MINED134] Binary file `thirdparty/lzo/2.03/lzotest.exe` committed in source repo: `thirdparty/lzo/2.03/lzotest.exe` is a .exe binary (154,624 bytes) committed to a repo that otherwise has 4073 sourc…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
thirdparty/lzo/2.03/precomp2.exe:1
· conf 0.90
[MINED134] Binary file `thirdparty/lzo/2.03/precomp2.exe` committed in source repo: `thirdparty/lzo/2.03/precomp2.exe` is a .exe binary (31,744 bytes) committed to a repo that otherwise has 4073 sour…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
thirdparty/lzo/2.03/precomp.exe:1
· conf 0.90
[MINED134] Binary file `thirdparty/lzo/2.03/precomp.exe` committed in source repo: `thirdparty/lzo/2.03/precomp.exe` is a .exe binary (31,232 bytes) committed to a repo that otherwise has 4073 source…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
thirdparty/lzo/2.03/simple.exe:1
· conf 0.90
[MINED134] Binary file `thirdparty/lzo/2.03/simple.exe` committed in source repo: `thirdparty/lzo/2.03/simple.exe` is a .exe binary (10,752 bytes) committed to a repo that otherwise has 4073 source f…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
thirdparty/lzo/2.03/testmini.exe:1
· conf 0.90
[MINED134] Binary file `thirdparty/lzo/2.03/testmini.exe` committed in source repo: `thirdparty/lzo/2.03/testmini.exe` is a .exe binary (10,240 bytes) committed to a repo that otherwise has 4073 sour…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
thirdparty/lzo/2.03/tools/lzocompress.exe:1
· conf 0.90
[MINED134] Binary file `thirdparty/lzo/2.03/tools/lzocompress.exe` committed in source repo: `thirdparty/lzo/2.03/tools/lzocompress.exe` is a .exe binary (8,192 bytes) committed to a repo that otherw…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
thirdparty/lzo/2.03/tools/lzodecompress.exe:1
· conf 0.90
[MINED134] Binary file `thirdparty/lzo/2.03/tools/lzodecompress.exe` committed in source repo: `thirdparty/lzo/2.03/tools/lzodecompress.exe` is a .exe binary (8,192 bytes) committed to a repo that ot…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
thirdparty/superlu/libsuperlu_4.1.a:1
· conf 0.90
[MINED134] Binary file `thirdparty/superlu/libsuperlu_4.1.a` committed in source repo: `thirdparty/superlu/libsuperlu_4.1.a` is a .a binary (1,338,672 bytes) committed to a repo that otherwise has 40…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
toonz/sources/common/twain/ttwain_winM.c:115
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
toonz/sources/stdfx/iwa_particles.h:273
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
toonz/sources/toonz/menubar.h:133
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC085
JS: child_process.exec with non-literal
toonz/sources/include/toonz/autoclose.h:62
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
toonz/sources/include/toonzqt/imageutils.h:201
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
toonz/sources/toonz/batchserversviewer.cpp:116
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC128
Async function without await — fire-and-forget Promise (AI mistake)
toonz/sources/image/bmp/tiio_bmp.cpp:40
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
toonz/sources/image/sprite/tiio_sprite.cpp:162
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
toonz/sources/tnzbase/tscanner/tscannertwain.cpp:162
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
toonz/sources/toonz/toonz_qrc_validator.py:83
· conf 0.95
[COMP001] High cognitive complexity: Function `print_report` has cognitive complexity 15 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested…MINED111
Bare except continues silently
toonz/sources/toonz/toonz_qrc_validator.py:53
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.SEC045
eval()/exec() on stored or user-supplied data
toonz/sources/include/toonz/autoclose.h:61
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
toonz/sources/include/toonzqt/imageutils.h:201
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
toonz/sources/t32bitsrv/main.cpp:44
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …AIC003
Duplicated implementation block across source files
plugins/geom/geom.cpp:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/multiplugin/multi.cpp:3
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
plugins/multiplugin/multi.cpp:6
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
thirdparty/glew/glew-1.9.0/auto/src/glew_utils.c:14
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
thirdparty/glew/glew-1.9.0/include/GL/glxew.h:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
thirdparty/kiss_fft/tools/psdpng.c:34
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
thirdparty/Lz4/Lz4_131/lib/lz4frame.h:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
thirdparty/Lz4/Lz4_131/lib/lz4frame_static.h:3
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
thirdparty/Lz4/Lz4_131/lib/lz4hc.c:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
thirdparty/Lz4/Lz4_131/lib/lz4hc.h:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
thirdparty/Lz4/Lz4_131/lib/xxhash.c:3
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
thirdparty/Lz4/Lz4_131/lib/xxhash.h:4
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
thirdparty/Lz4/Lz4_131/lib/xxhash.h:13
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
thirdparty/Lz4/Lz4_131/programs/bench.h:3
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
thirdparty/Lz4/Lz4_131/programs/datagen.c:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
thirdparty/Lz4/Lz4_131/programs/datagencli.c:3
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
thirdparty/Lz4/Lz4_131/programs/datagencli.c:6
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
thirdparty/Lz4/Lz4_131/programs/datagen.h:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
thirdparty/Lz4/Lz4_131/programs/datagen.h:5
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
thirdparty/Lz4/Lz4_131/programs/frametest.c:3
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
thirdparty/Lz4/Lz4_131/programs/fullbench.c:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
thirdparty/Lz4/Lz4_131/programs/fullbench.c:7
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
thirdparty/Lz4/Lz4_131/programs/fuzzer.c:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
thirdparty/Lz4/Lz4_131/programs/fuzzer.c:31
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
thirdparty/Lz4/Lz4_131/programs/lz4cli.c:3
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
thirdparty/Lz4/Lz4_131/programs/lz4io.c:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
thirdparty/Lz4/Lz4_131/programs/lz4io.c:3
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
thirdparty/Lz4/Lz4_131/programs/lz4io.h:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
thirdparty/Lz4/Lz4_131/programs/lz4io.h:3
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
thirdparty/Lz4/Lz4_131/programs/lz4io.h:8
· conf 0.86
Duplicated implementation block across source filesCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
toonz/sources/toonz/toonz_qrc_validator.py:21
· conf 0.95
[COMP001] High cognitive complexity: Function `validate_paths` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — neste…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
toonz/sources/toonz/toonz_qrc_validator.py:58
· conf 0.95
[COMP001] High cognitive complexity: Function `_validate_path` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — neste…SEC132
String concat where the language has interpolation (AI style drift)
toonz/sources/toonzfarm/tfarmclient/appmainshell.cpp:142
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…MINED022
C Strcpy
CWE-120
[MINED022] C Strcpy (and 11 more): Same pattern found in 11 additional files. Review if needed.MINED042
Cpp New Without Delete
CWE-401
[MINED042] Cpp New Without Delete (and 308 more): Same pattern found in 308 additional files. Review if needed.MINED042
Cpp New Without Delete
CWE-401
toonz/sources/colorfx/colorfx.cpp:62
· conf 1.00
[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak risk.MINED042
Cpp New Without Delete
CWE-401
toonz/sources/colorfx/rasterstyles.cpp:35
· conf 1.00
[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak risk.MINED042
Cpp New Without Delete
CWE-401
toonz/sources/colorfx/rasterstyles.h:140
· conf 1.00
[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak risk.MINED043
Http Not Https
CWE-319
[MINED043] Http Not Https (and 3 more): Same pattern found in 3 additional files. Review if needed.MINED043
Http Not Https
CWE-319
plugins/multiplugin/multi.cpp:273
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
toonz/sources/common/tsystem/tfilepath_io.cpp:18
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
toonz/sources/include/tiio_jpg_exif.h:6
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED075
C Malloc No Check
CWE-690
toonz/sources/common/psdlib/psdutils.cpp:131
· conf 1.00
[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL.MINED075
C Malloc No Check
CWE-690
toonz/sources/image/sprite/tiio_sprite.cpp:221
· conf 1.00
[MINED075] C Malloc No Check: malloc/calloc/realloc return value used without checking for NULL.MINED080
Cpp Using Namespace Std
[MINED080] Cpp Using Namespace Std (and 29 more): Same pattern found in 29 additional files. Review if needed.MINED080
Cpp Using Namespace Std
toonz/sources/common/tcontenthistory.cpp:25
· conf 1.00
[MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace.MINED080
Cpp Using Namespace Std
toonz/sources/common/tcore/tdebugmessage.cpp:6
· conf 1.00
[MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace.MINED080
Cpp Using Namespace Std
toonz/sources/common/tcore/tstopwatch.cpp:47
· conf 1.00
[MINED080] Cpp Using Namespace Std: using namespace std; pollutes the global namespace.SEC045
eval()/exec() on stored or user-supplied data
[SEC045] eval()/exec() on stored or user-supplied data (and 16 more): Same pattern found in 16 additional files. Review if needed.SEC085
JS: child_process.exec with non-literal
[SEC085] JS: child_process.exec with non-literal (and 8 more): Same pattern found in 8 additional files. Review if needed.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 2 more): Same pattern found in 2 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/895158db-3965-47f3-ab73-ba9a1a655881/.