https://github.com/rohitg00/agentmemory ·
lang: typescript ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
MINED108 self.attribute used but never assigned in __init__ |
high | 25 |
AIC003 Duplicated implementation block across source files |
low | 23 |
MINED118 Dockerfile FROM not pinned by sha256 digest |
high | 8 |
DKR002 Dockerfile base image has no explicit tag |
medium | 5 |
SEC040 innerHTML XSS — template literal with server-supplied data |
high | 4 |
MINED054 Ts As Any |
info | 4 |
MINED045 Ts Non Null Assertion |
info | 4 |
SEC085 JS: child_process.exec with non-literal |
high | 4 |
ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. |
medium | 4 |
DKR001 Docker final stage has no non-root USER |
medium | 4 |
DKC006
Compose service does not declare a runtime user
docker-compose.yml:7
· conf 0.92
Compose service explicitly runs as rootMINED108
self.attribute used but never assigned in __init__
CWE-476
integrations/hermes/__init__.py:184
· conf 1.00
[MINED108] `self._base` used but never assigned in __init__: Method `initialize` of class `AgentMemoryProvider` reads `self._base`, but no assignment to it exists in __init__ (and no class-level fall…MINED108
self.attribute used but never assigned in __init__
CWE-476
integrations/hermes/__init__.py:185
· conf 1.00
[MINED108] `self._session_id` used but never assigned in __init__: Method `initialize` of class `AgentMemoryProvider` reads `self._session_id`, but no assignment to it exists in __init__ (and no clas…MINED108
self.attribute used but never assigned in __init__
CWE-476
integrations/hermes/__init__.py:186
· conf 1.00
[MINED108] `self._project` used but never assigned in __init__: Method `initialize` of class `AgentMemoryProvider` reads `self._project`, but no assignment to it exists in __init__ (and no class-leve…MINED108
self.attribute used but never assigned in __init__
CWE-476
integrations/hermes/__init__.py:188
· conf 1.00
[MINED108] `self._base` used but never assigned in __init__: Method `initialize` of class `AgentMemoryProvider` reads `self._base`, but no assignment to it exists in __init__ (and no class-level fall…MINED108
self.attribute used but never assigned in __init__
CWE-476
integrations/hermes/__init__.py:190
· conf 1.00
[MINED108] `self._base` used but never assigned in __init__: Method `initialize` of class `AgentMemoryProvider` reads `self._base`, but no assignment to it exists in __init__ (and no class-level fall…MINED108
self.attribute used but never assigned in __init__
CWE-476
integrations/hermes/__init__.py:192
· conf 1.00
[MINED108] `self._project` used but never assigned in __init__: Method `initialize` of class `AgentMemoryProvider` reads `self._project`, but no assignment to it exists in __init__ (and no class-leve…MINED108
self.attribute used but never assigned in __init__
CWE-476
integrations/hermes/__init__.py:193
· conf 1.00
[MINED108] `self._project` used but never assigned in __init__: Method `initialize` of class `AgentMemoryProvider` reads `self._project`, but no assignment to it exists in __init__ (and no class-leve…MINED108
self.attribute used but never assigned in __init__
CWE-476
integrations/hermes/__init__.py:218
· conf 1.00
[MINED108] `self._base` used but never assigned in __init__: Method `system_prompt_block` of class `AgentMemoryProvider` reads `self._base`, but no assignment to it exists in __init__ (and no class-l…MINED108
self.attribute used but never assigned in __init__
CWE-476
integrations/hermes/__init__.py:219
· conf 1.00
[MINED108] `self._session_id` used but never assigned in __init__: Method `system_prompt_block` of class `AgentMemoryProvider` reads `self._session_id`, but no assignment to it exists in __init__ (an…MINED108
self.attribute used but never assigned in __init__
CWE-476
integrations/hermes/__init__.py:220
· conf 1.00
[MINED108] `self._project` used but never assigned in __init__: Method `system_prompt_block` of class `AgentMemoryProvider` reads `self._project`, but no assignment to it exists in __init__ (and no c…MINED108
self.attribute used but never assigned in __init__
CWE-476
integrations/hermes/__init__.py:227
· conf 1.00
[MINED108] `self._base` used but never assigned in __init__: Method `prefetch` of class `AgentMemoryProvider` reads `self._base`, but no assignment to it exists in __init__ (and no class-level fallba…MINED108
self.attribute used but never assigned in __init__
CWE-476
integrations/hermes/__init__.py:244
· conf 1.00
[MINED108] `self._base` used but never assigned in __init__: Method `queue_prefetch` of class `AgentMemoryProvider` reads `self._base`, but no assignment to it exists in __init__ (and no class-level …MINED108
self.attribute used but never assigned in __init__
CWE-476
integrations/hermes/__init__.py:297
· conf 1.00
[MINED108] `self._base` used but never assigned in __init__: Method `handle_tool_call` of class `AgentMemoryProvider` reads `self._base`, but no assignment to it exists in __init__ (and no class-leve…MINED108
self.attribute used but never assigned in __init__
CWE-476
integrations/hermes/__init__.py:316
· conf 1.00
[MINED108] `self._base` used but never assigned in __init__: Method `handle_tool_call` of class `AgentMemoryProvider` reads `self._base`, but no assignment to it exists in __init__ (and no class-leve…MINED108
self.attribute used but never assigned in __init__
CWE-476
integrations/hermes/__init__.py:323
· conf 1.00
[MINED108] `self._base` used but never assigned in __init__: Method `handle_tool_call` of class `AgentMemoryProvider` reads `self._base`, but no assignment to it exists in __init__ (and no class-leve…MINED108
self.attribute used but never assigned in __init__
CWE-476
integrations/hermes/__init__.py:342
· conf 1.00
[MINED108] `self._base` used but never assigned in __init__: Method `sync_turn` of class `AgentMemoryProvider` reads `self._base`, but no assignment to it exists in __init__ (and no class-level fallb…MINED108
self.attribute used but never assigned in __init__
CWE-476
integrations/hermes/__init__.py:344
· conf 1.00
[MINED108] `self._session_id` used but never assigned in __init__: Method `sync_turn` of class `AgentMemoryProvider` reads `self._session_id`, but no assignment to it exists in __init__ (and no class…MINED108
self.attribute used but never assigned in __init__
CWE-476
integrations/hermes/__init__.py:345
· conf 1.00
[MINED108] `self._project` used but never assigned in __init__: Method `sync_turn` of class `AgentMemoryProvider` reads `self._project`, but no assignment to it exists in __init__ (and no class-level…MINED108
self.attribute used but never assigned in __init__
CWE-476
integrations/hermes/__init__.py:346
· conf 1.00
[MINED108] `self._project` used but never assigned in __init__: Method `sync_turn` of class `AgentMemoryProvider` reads `self._project`, but no assignment to it exists in __init__ (and no class-level…MINED108
self.attribute used but never assigned in __init__
CWE-476
integrations/hermes/__init__.py:356
· conf 1.00
[MINED108] `self._base` used but never assigned in __init__: Method `on_session_end` of class `AgentMemoryProvider` reads `self._base`, but no assignment to it exists in __init__ (and no class-level …MINED108
self.attribute used but never assigned in __init__
CWE-476
integrations/hermes/__init__.py:357
· conf 1.00
[MINED108] `self._session_id` used but never assigned in __init__: Method `on_session_end` of class `AgentMemoryProvider` reads `self._session_id`, but no assignment to it exists in __init__ (and no …MINED108
self.attribute used but never assigned in __init__
CWE-476
integrations/hermes/__init__.py:361
· conf 1.00
[MINED108] `self._base` used but never assigned in __init__: Method `on_pre_compress` of class `AgentMemoryProvider` reads `self._base`, but no assignment to it exists in __init__ (and no class-level…MINED108
self.attribute used but never assigned in __init__
CWE-476
integrations/hermes/__init__.py:362
· conf 1.00
[MINED108] `self._session_id` used but never assigned in __init__: Method `on_pre_compress` of class `AgentMemoryProvider` reads `self._session_id`, but no assignment to it exists in __init__ (and no…MINED108
self.attribute used but never assigned in __init__
CWE-476
integrations/hermes/__init__.py:363
· conf 1.00
[MINED108] `self._project` used but never assigned in __init__: Method `on_pre_compress` of class `AgentMemoryProvider` reads `self._project`, but no assignment to it exists in __init__ (and no class…MINED108
self.attribute used but never assigned in __init__
CWE-476
integrations/hermes/__init__.py:373
· conf 1.00
[MINED108] `self._base` used but never assigned in __init__: Method `on_memory_write` of class `AgentMemoryProvider` reads `self._base`, but no assignment to it exists in __init__ (and no class-level…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:57
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:60
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/publish.yml:26
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/publish.yml:32
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v6`: `uses: actions/setup-node@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
deploy/coolify/Dockerfile:2
· conf 0.90
[MINED118] Dockerfile FROM `iiidev/iii (no tag)` not pinned by digest: `FROM iiidev/iii (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
deploy/coolify/Dockerfile:4
· conf 0.90
[MINED118] Dockerfile FROM `node:22-slim` not pinned by digest: `FROM node:22-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is pote…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
deploy/fly/Dockerfile:2
· conf 0.90
[MINED118] Dockerfile FROM `iiidev/iii (no tag)` not pinned by digest: `FROM iiidev/iii (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
deploy/fly/Dockerfile:4
· conf 0.90
[MINED118] Dockerfile FROM `node:22-slim` not pinned by digest: `FROM node:22-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is pote…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
deploy/railway/Dockerfile:2
· conf 0.90
[MINED118] Dockerfile FROM `iiidev/iii (no tag)` not pinned by digest: `FROM iiidev/iii (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
deploy/railway/Dockerfile:4
· conf 0.90
[MINED118] Dockerfile FROM `node:22-slim` not pinned by digest: `FROM node:22-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is pote…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
deploy/render/Dockerfile:2
· conf 0.90
[MINED118] Dockerfile FROM `iiidev/iii (no tag)` not pinned by digest: `FROM iiidev/iii (no tag)` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
deploy/render/Dockerfile:4
· conf 0.90
[MINED118] Dockerfile FROM `node:22-slim` not pinned by digest: `FROM node:22-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is pote…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
integrations/openclaw/plugin.mjs:84
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
integrations/pi/index.ts:40
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
integrations/pi/security.ts:10
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC040
innerHTML XSS — template literal with server-supplied data
benchmark/longmemeval-bench.ts:44
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
eval/runner/load.ts:15
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
src/cli/onboarding.ts:254
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC083
JS: new RegExp() with non-literal
integrations/filesystem-watcher/watcher.mjs:305
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC083
JS: new RegExp() with non-literal
src/functions/privacy.ts:25
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC085
JS: child_process.exec with non-literal
scripts/check-env-example.mjs:67
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
src/functions/consolidation-pipeline.ts:91
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
src/functions/graph.ts:38
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC128
Async function without await — fire-and-forget Promise (AI mistake)
integrations/filesystem-watcher/watcher.mjs:187
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
src/functions/dedup.ts:33
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
src/functions/graph-retrieval.ts:302
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…AGT007
localStorage write failures are swallowed silently
website/components/GitHubStarButton.tsx:54
· conf 0.80
localStorage write failures are swallowed silentlyAGT016
Codex session log reader may expose prompts or tool-call content
src/cli.ts:120
· conf 0.73
Codex session log reader may expose prompts or tool-call contentDKR001
Docker final stage has no non-root USER
deploy/coolify/Dockerfile:5
· conf 0.82
Docker final stage has no non-root USERDKR001
Docker final stage has no non-root USER
deploy/fly/Dockerfile:5
· conf 0.82
Docker final stage has no non-root USERDKR001
Docker final stage has no non-root USER
deploy/railway/Dockerfile:5
· conf 0.82
Docker final stage has no non-root USERDKR001
Docker final stage has no non-root USER
deploy/render/Dockerfile:5
· conf 0.82
Docker final stage has no non-root USERDKR007
Docker build context has no .dockerignore
.dockerignore
· conf 0.90
Docker build context has no .dockerignoreERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
plugin/scripts/session-start.mjs:44
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
plugin/scripts/subagent-start.mjs:42
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
src/eval/metrics-store.ts:46
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.SEC045
eval()/exec() on stored or user-supplied data
plugin/scripts/post-commit.mjs:22
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
scripts/check-env-example.mjs:67
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
src/functions/consolidation-pipeline.ts:91
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …AIC003
Duplicated implementation block across source files
src/cli/connect/codex.ts:7
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/functions/compress.ts:26
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/hooks/post-tool-failure.ts:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/hooks/post-tool-use.ts:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/hooks/pre-compact.ts:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/hooks/pre-compact.ts:14
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/hooks/prompt-submit.ts:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/hooks/prompt-submit.ts:14
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/hooks/session-end.ts:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/hooks/session-end.ts:14
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/hooks/session-end.ts:15
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/hooks/session-start.ts:11
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/hooks/stop.ts:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/hooks/subagent-start.ts:9
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/hooks/subagent-start.ts:15
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/hooks/subagent-stop.ts:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/hooks/subagent-stop.ts:14
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/hooks/task-completed.ts:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/hooks/task-completed.ts:14
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/hooks/task-completed.ts:15
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/providers/embedding/openrouter.ts:16
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/providers/embedding/voyage.ts:12
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
src/state/vector-index.ts:8
· conf 0.86
Duplicated implementation block across source filesDKC006
Compose service does not declare a runtime user
deploy/coolify/docker-compose.yml:1
· conf 0.56
Compose service does not declare a runtime userDKC010
Compose service lacks no-new-privileges hardening
deploy/coolify/docker-compose.yml:1
· conf 0.62
Compose service lacks no-new-privileges hardeningDKC010
Compose service lacks no-new-privileges hardening
docker-compose.yml:15
· conf 0.62
Compose service lacks no-new-privileges hardeningDKR002
Dockerfile base image has no explicit tag
deploy/coolify/Dockerfile:3
· conf 0.48
Dockerfile base image is selected through a build variableDKR002
Dockerfile base image has no explicit tag
deploy/fly/Dockerfile:3
· conf 0.48
Dockerfile base image is selected through a build variableDKR002
Dockerfile base image has no explicit tag
deploy/railway/Dockerfile:3
· conf 0.48
Dockerfile base image is selected through a build variableDKR002
Dockerfile base image has no explicit tag
deploy/render/Dockerfile:3
· conf 0.48
Dockerfile base image is selected through a build variableDKR002
Dockerfile base image has no explicit tag
docker-compose.yml:15
· conf 0.48
Compose service `iii-engine` image is selected through a build variableERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
[ERR002] Empty Catch Block (and 6 more): Same pattern found in 6 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 6 more): Same pattern found in 6 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
benchmark/longmemeval-bench.ts:119
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
eval/runner/coding-life.ts:39
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
eval/runner/longmemeval.ts:43
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
[MINED045] Ts Non Null Assertion (and 11 more): Same pattern found in 11 additional files. Review if needed.MINED045
Ts Non Null Assertion
CWE-476
benchmark/longmemeval-bench.ts:101
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
src/functions/actions.ts:225
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
src/functions/auto-forget.ts:89
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED049
Print Pii
CWE-532
examples/python/observe_and_recall.py:62
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED052
Ts Any Typed
CWE-704
src/functions/migrate.ts:32
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
src/state/reranker.ts:3
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED054
Ts As Any
CWE-704
[MINED054] Ts As Any (and 2 more): Same pattern found in 2 additional files. Review if needed.MINED054
Ts As Any
CWE-704
benchmark/longmemeval-bench.ts:193
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
src/functions/migrate.ts:58
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
src/functions/smart-search.ts:36
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED055
Npm Install No Lockfile
CWE-1357
examples/python/observe_and_recall.py:7
· conf 1.00
[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.MINED055
Npm Install No Lockfile
CWE-1357
examples/python/quickstart.py:4
· conf 1.00
[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.SEC020
Secret Printed to Logs
examples/python/observe_and_recall.py:62
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 5 more): Same pattern found in 5 additional files. Review if needed.SEC040
innerHTML XSS — template literal with server-supplied data
[SEC040] innerHTML XSS — template literal with server-supplied data (and 11 more): Same pattern found in 11 additional files. Review if needed.SEC045
eval()/exec() on stored or user-supplied data
[SEC045] eval()/exec() on stored or user-supplied data (and 6 more): Same pattern found in 6 additional files. Review if needed.SEC085
JS: child_process.exec with non-literal
[SEC085] JS: child_process.exec with non-literal (and 4 more): Same pattern found in 4 additional files. Review if needed.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
integrations/pi/index.ts:122
· conf 0.10
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
src/state/schema.ts:60
· conf 0.10
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 3 more): Same pattern found in 3 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/a3e7255e-87b7-421d-bfd1-aaa36403fd4c/.