← Legacy view v2 (rp.*)

astral-sh/uv

https://github.com/astral-sh/uv · lang: rust · LOC: · source: both

Quality
76.2
Grade B+
Security
80.3
Findings
8
0 critical · 3 high
Status
completed
May 16, 2026 09:40
high: 3 info: 3 medium: 2
Top rules by occurrence
RuleSeverityCount
SEC001 Hardcoded Password critical 3
SEC013 Path Traversal — User Input in File Path high 2
SEC004 SQL Injection Risk high 1
SEC020 Secret Printed to Logs high 1
SEC012 ZipSlip — Archive Path Traversal medium 1
First 8 findings (severity-sorted)
high SEC004 SQL Injection Risk
scripts/update_schemastore.py:38 · conf 0.50 
[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.
high SEC013 Path Traversal — User Input in File Path
scripts/benchmark/src/benchmark/resolver.py:228 · conf 0.80 
[SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
high SEC013 Path Traversal — User Input in File Path
scripts/publish-crates.py:80 · conf 0.80 
[SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
medium SEC001 Hardcoded Password
crates/uv-auth/src/store.rs:493 · conf 0.30 
[SEC001] Hardcoded Password: Hardcoded password found in source code.
medium SEC012 ZipSlip — Archive Path Traversal
scripts/repair-sdist-cargo-lock.py:32 · conf 1.00 
[SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory.
info SEC001 Hardcoded Password
crates/uv-auth/src/middleware.rs:1045 · conf 0.10 
[SEC001] Hardcoded Password: Hardcoded password found in source code.
info SEC001 Hardcoded Password
crates/uv-client/src/registry_client.rs:1690 · conf 0.10 
[SEC001] Hardcoded Password: Hardcoded password found in source code.
info SEC020 Secret Printed to Logs
scripts/registries-test.py:133 · conf 0.15 
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/9d80afe6-b891-4d50-b2cd-9006567d3dc2/.