← Legacy view v2 (rp.*)

openjdk/jdk

https://github.com/openjdk/jdk.git · lang: java · LOC: · source: user_submitted

Quality
66.2
Grade B-
Security
100.0
Findings
7
1 critical · 0 high
Status
completed
May 18, 2026 04:28
medium: 4 low: 2 critical: 1
Top rules by occurrence
RuleSeverityCount
SEC087 JS: weak Math.random for crypto medium 2
AIC003 Duplicated implementation block across source files low 2
CFG006 [CFG006] Missing .gitignore: No .gitignore file. Risk of co… medium 1
SEC123 Production stack trace / debug output exposed medium 1
SEC101 Unsafe Java object deserialization (ObjectInputStream) critical 1
First 7 findings (severity-sorted)
critical SEC101 Unsafe Java object deserialization (ObjectInputStream)
src/demo/share/jfc/Stylepad/Stylepad.java:297 · conf 1.00 
[SEC101] Unsafe Java object deserialization (ObjectInputStream): Java ObjectInputStream deserializes untrusted bytes into objects. Attacker-controlled streams trigger gadget chains (Apache Commons Co…
medium CFG006 [CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.
· conf 1.00 
[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.
medium SEC087 JS: weak Math.random for crypto
src/demo/share/jfc/J2Ddemo/java2d/demos/Composite/FadeAnim.java:321 · conf 1.00 
[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…
medium SEC087 JS: weak Math.random for crypto
src/demo/share/jfc/J2Ddemo/java2d/demos/Paint/GradAnim.java:64 · conf 1.00 
[SEC087] JS: weak Math.random for crypto: Math.random() is not cryptographically secure; using it for tokens/keys/nonces is predictable. Ported from gosec G404 / eslint detect-pseudoRandomBytes conce…
medium SEC123 Production stack trace / debug output exposed
src/demo/share/jfc/SwingSet2/SwingSet2.java:125 · conf 1.00 
[SEC123] Production stack trace / debug output exposed: Debug mode left on in production exposes stack traces, environment variables, framework internals — sometimes triggers RCE (Django debug page w…
low AIC003 Duplicated implementation block across source files
src/hotspot/cpu/aarch64/gc/shenandoah/shenandoahBarrierSetAssembler_aarch64.cpp:422 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
src/hotspot/cpu/aarch64/gc/z/zBarrierSetAssembler_aarch64.hpp:56 · conf 0.86 
Duplicated implementation block across source files

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/9503248f-8456-4a2a-9c49-8221481cc730/.