https://github.com/maruturisaisasidhar/vcodex.git ·
lang: javascript ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
JRN009 Secret-like setting is echoed into a password input value |
high | 5 |
MINED044 Js Console Log Prod |
info | 4 |
SEC135 Auth/permission check missing on AI-generated endpoint |
high | 3 |
MINED056 React Key As Index |
info | 3 |
MINED113 Express POST/PUT/DELETE/PATCH route without auth |
high | 2 |
MINED012 Curl Pipe Bash |
high | 2 |
SEC020 Secret Printed to Logs |
high | 2 |
MINED055 Npm Install No Lockfile |
info | 2 |
MINED049 Print Pii |
info | 2 |
MINED065 Cors Wildcard |
info | 2 |
CORE_ENV_FILE
.env file committed to repository
.env
.env file committed to repositorySEC009
[SEC009] .env File Committed: .env file with secrets committed to repository.
.env
· conf 1.00
[SEC009] .env File Committed: .env file with secrets committed to repository.SEC049
GCP API key
src/firebase/config.js:13
· conf 1.00
[SEC049] GCP API key: Google Cloud API key (AIza prefix). Ported from gitleaks gcp-api-key (MIT).CORE_NO_TESTS
No test files found
No test files foundJRN009
Secret-like setting is echoed into a password input value
src/pages/FacultyLoginPage.jsx:111
· conf 0.83
Secret-like setting is echoed into a password input valueJRN009
Secret-like setting is echoed into a password input value
src/pages/FacultyLoginPage.jsx:285
· conf 0.83
Secret-like setting is echoed into a password input valueJRN009
Secret-like setting is echoed into a password input value
src/pages/FacultySetupPage.jsx:94
· conf 0.83
Secret-like setting is echoed into a password input valueJRN009
Secret-like setting is echoed into a password input value
src/pages/FacultySetupPage.jsx:272
· conf 0.83
Secret-like setting is echoed into a password input valueJRN009
Secret-like setting is echoed into a password input value
src/pages/FacultySetupPage.jsx:452
· conf 0.83
Secret-like setting is echoed into a password input valueMINED012
Curl Pipe Bash
CWE-494
deploy-execution-server.sh:28
· conf 1.00
[MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code.MINED012
Curl Pipe Bash
CWE-494
deploy-to-ec2.sh:13
· conf 1.00
[MINED012] Curl Pipe Bash: curl ... | sh / bash — runs unverified network code.MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
server.js:25
· conf 0.80
[MINED113] Express POST /api/lara has no auth: Express route POST /api/lara declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated ro…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
server-production.js:36
· conf 0.80
[MINED113] Express POST /api/lara/ask has no auth: Express route POST /api/lara/ask declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenti…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
src/components/exam/faculty/QuestionForm.jsx:70
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC135
Auth/permission check missing on AI-generated endpoint
deploy-to-ec2.sh:79
· conf 1.00
[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…SEC135
Auth/permission check missing on AI-generated endpoint
server.js:25
· conf 1.00
[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…SEC135
Auth/permission check missing on AI-generated endpoint
server-production.js:36
· conf 1.00
[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…AUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.AUC002
[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
[AUC002] Low visible authorization coverage in route inventory: Only 25.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.CORE_NO_CI
No CI/CD configuration found
No CI/CD configuration foundSEC015
Insecure Randomness for Security
functions/index.js:28
· conf 1.00
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.WEB003
Public web service has no security.txt
.well-known/security.txt
· conf 0.78
Public web service has no security.txtWEB015
Public web app has no Content Security Policy
index.html
· conf 0.70
Public web app has no Content Security PolicyAUC005
[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.CORE_NO_LICENSE
No LICENSE file
No LICENSE fileSEC006
XSS Risk
src/components/panels/PreviewPanel.jsx:36
· conf 0.40
[SEC006] XSS Risk: Direct HTML injection without sanitization.WEB001
Public web app has no robots.txt
robots.txt
· conf 0.74
Public web app has no robots.txtWEB002
Public web app has no sitemap
sitemap.xml
· conf 0.72
Public web app has no sitemapWEB008
Public docs site has no llms.txt
llms.txt
· conf 0.64
Public docs site has no llms.txtWEB011
Public web app has no humans.txt
humans.txt
· conf 0.50
Public web app has no humans.txtMINED043
Http Not Https
CWE-319
deploy-to-ec2.sh:235
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 18 more): Same pattern found in 18 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
server.js:55
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
server-production.js:44
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
src/api/examService.js:197
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED049
Print Pii
CWE-532
deploy-to-ec2.sh:155
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED049
Print Pii
CWE-532
server-production.js:103
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED055
Npm Install No Lockfile
CWE-1357
deploy-execution-server.sh:36
· conf 1.00
[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.MINED055
Npm Install No Lockfile
CWE-1357
deploy-to-ec2.sh:32
· conf 1.00
[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.MINED056
React Key As Index
CWE-682
src/components/exam/faculty/QuestionForm.jsx:168
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED056
React Key As Index
CWE-682
src/components/exam/student/QuestionViewer.jsx:31
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED056
React Key As Index
CWE-682
src/components/panels/AiPanel.jsx:137
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED057
Todo Bomb
src/hooks/useGitHub.js:30
· conf 1.00
[MINED057] Todo Bomb: Code path with a TODO/FIXME/HACK comment that gates correctness — left for later but never resolved.MINED058
React Dangerously Set Html
CWE-79
src/components/exam/student/QuestionViewer.jsx:22
· conf 1.00
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.MINED065
Cors Wildcard
CWE-942CWE-346
server.js:13
· conf 1.00
[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints.MINED065
Cors Wildcard
CWE-942CWE-346
server-production.js:13
· conf 1.00
[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints.SEC020
Secret Printed to Logs
deploy-to-ec2.sh:154
· conf 0.10
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
server-production.js:44
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/8aacf6ca-6284-49d9-b68d-7c6c5b949e6f/.