https://github.com/D4Vinci/Scrapling ·
lang: python ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
MINED106 Phantom test coverage (assertion-free test) |
high | 25 |
MINED108 self.attribute used but never assigned in __init__ |
high | 25 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 13 |
MINED111 Bare except continues silently |
medium | 6 |
MINED124 requirements.txt entry has no version pin |
medium | 5 |
COMP001 [COMP001] High cognitive complexity: Function `load_yfinanc… |
low | 4 |
MINED050 Stub Only Function |
info | 4 |
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… |
high | 4 |
MINED062 Python Dataclass No Fields |
info | 4 |
AIC003 Duplicated implementation block across source files |
low | 3 |
MINED013
Password In Url
CWE-200
scrapling/engines/toolbelt/proxy_rotation.py:60
· conf 1.00
[MINED013] Password In Url: https://user:password@host — leaks creds via logs, referrer, error messages.MINED018
Unsafe Deserialization Pickle
CWE-502
scrapling/spiders/checkpoint.py:74
· conf 1.00
[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data — RCE.MINED030
Python Pickle Loads
CWE-502
scrapling/spiders/checkpoint.py:74
· conf 1.00
[MINED030] Python Pickle Loads: pickle.loads() can execute arbitrary code via __reduce__.MINED107
Missing Python import (NameError at runtime)
CWE-1075
scrapling/core/utils/_utils.py:119
· conf 1.00
[MINED107] Missing import: `string` used but not imported: The file uses `string.something(...)` but never imports `string`. This raises NameError at runtime the first time the line executes.MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/docker-build.yml:39
· conf 0.90
[MINED116] Workflow uses `secrets.DOCKER_USERNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_USERNAME }` …MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/docker-build.yml:40
· conf 0.90
[MINED116] Workflow uses `secrets.DOCKER_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKER_PASSWORD }` …MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/docker-build.yml:47
· conf 0.90
[MINED116] Workflow uses `secrets.CONTAINER_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.CONTAINER_TOKEN }` …MINED125
GHA run-step interpolates attacker-controllable github.event field
CWE-78CWE-94
.github/workflows/release-and-publish.yml:27
· conf 0.90
[MINED125] GHA script injection via github.event.pull_request.title in run-step: `run:` step interpolates ${{ github.event.pull_request.title }} directly into shell. PR title/body/branch/comment fiel…SEC081
Python: pickle.loads / marshal.loads on untrusted data
scrapling/spiders/checkpoint.py:74
· conf 1.00
[SEC081] Python: pickle.loads / marshal.loads on untrusted data: pickle.load(s) and marshal.load(s) execute arbitrary code on untrusted input. Ported from dlint DUO103 / DUO120 (BSD-3).COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
scrapling/core/mixins.py:15
· conf 0.95
[COMP001] High cognitive complexity: Function `_general_selection` has cognitive complexity 55 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — …MINED004
Weak Crypto
CWE-327
scrapling/spiders/request.py:122
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED106
Phantom test coverage (assertion-free test)
CWE-1126
benchmarks.py:47
· conf 1.00
[MINED106] Phantom test coverage: test_lxml: Test function `test_lxml` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifyin…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
benchmarks.py:59
· conf 1.00
[MINED106] Phantom test coverage: test_bs4_lxml: Test function `test_bs4_lxml` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
benchmarks.py:64
· conf 1.00
[MINED106] Phantom test coverage: test_bs4_html5lib: Test function `test_bs4_html5lib` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
benchmarks.py:69
· conf 1.00
[MINED106] Phantom test coverage: test_pyquery: Test function `test_pyquery` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without ve…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
benchmarks.py:74
· conf 1.00
[MINED106] Phantom test coverage: test_scrapling: Test function `test_scrapling` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage withou…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
benchmarks.py:82
· conf 1.00
[MINED106] Phantom test coverage: test_parsel: Test function `test_parsel` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without veri…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
benchmarks.py:87
· conf 1.00
[MINED106] Phantom test coverage: test_mechanicalsoup: Test function `test_mechanicalsoup` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line cover…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
benchmarks.py:94
· conf 1.00
[MINED106] Phantom test coverage: test_selectolax: Test function `test_selectolax` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage with…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
benchmarks.py:111
· conf 1.00
[MINED106] Phantom test coverage: test_scrapling_text: Test function `test_scrapling_text` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line cover…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
benchmarks.py:116
· conf 1.00
[MINED106] Phantom test coverage: test_autoscraper: Test function `test_autoscraper` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage wi…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/core/test_shell_core.py:92
· conf 1.00
[MINED106] Phantom test coverage: test_invalid_header_format: Test function `test_invalid_header_format` runs code but contains no assert / expect / should call — it passes regardless of behaviour. A…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/parser/test_attributes_handler.py:112
· conf 1.00
[MINED106] Phantom test coverage: test_json_error_handling: Test function `test_json_error_handling` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/parser/test_general.py:167
· conf 1.00
[MINED106] Phantom test coverage: test_invalid_selector_initialization: Test function `test_invalid_selector_initialization` runs code but contains no assert / expect / should call — it passes regard…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/parser/test_general.py:176
· conf 1.00
[MINED106] Phantom test coverage: test_invalid_storage: Test function `test_invalid_storage` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line cov…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/parser/test_general.py:181
· conf 1.00
[MINED106] Phantom test coverage: test_bad_selectors: Test function `test_bad_selectors` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverag…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/parser/test_general.py:192
· conf 1.00
[MINED106] Phantom test coverage: test_unpickleable_objects: Test function `test_unpickleable_objects` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Add…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/parser/test_parser_advanced.py:309
· conf 1.00
[MINED106] Phantom test coverage: test_text_handler_json_invalid: Test function `test_text_handler_json_invalid` runs code but contains no assert / expect / should call — it passes regardless of beha…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/spiders/test_checkpoint.py:79
· conf 1.00
[MINED106] Phantom test coverage: test_init_with_negative_interval_raises: Test function `test_init_with_negative_interval_raises` runs code but contains no assert / expect / should call — it passes …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/spiders/test_checkpoint.py:84
· conf 1.00
[MINED106] Phantom test coverage: test_init_with_invalid_interval_type_raises: Test function `test_init_with_invalid_interval_type_raises` runs code but contains no assert / expect / should call — it…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/spiders/test_checkpoint.py:220
· conf 1.00
[MINED106] Phantom test coverage: test_cleanup_no_error_when_no_file: Test function `test_cleanup_no_error_when_no_file` runs code but contains no assert / expect / should call — it passes regardless…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/spiders/test_session.py:43
· conf 1.00
[MINED106] Phantom test coverage: test_manager_no_default_session_when_empty: Test function `test_manager_no_default_session_when_empty` runs code but contains no assert / expect / should call — it p…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/spiders/test_session.py:96
· conf 1.00
[MINED106] Phantom test coverage: test_add_duplicate_id_raises: Test function `test_add_duplicate_id_raises` runs code but contains no assert / expect / should call — it passes regardless of behaviou…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/spiders/test_session.py:143
· conf 1.00
[MINED106] Phantom test coverage: test_remove_nonexistent_raises: Test function `test_remove_nonexistent_raises` runs code but contains no assert / expect / should call — it passes regardless of beha…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/spiders/test_session.py:196
· conf 1.00
[MINED106] Phantom test coverage: test_get_nonexistent_raises_with_available: Test function `test_get_nonexistent_raises_with_available` runs code but contains no assert / expect / should call — it p…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/spiders/test_sitemap.py:173
· conf 1.00
[MINED106] Phantom test coverage: test_start_requests_raises_when_nothing_configured: Test function `test_start_requests_raises_when_nothing_configured` runs code but contains no assert / expect / sh…MINED108
self.attribute used but never assigned in __init__
CWE-476
scrapling/parser.py:184
· conf 1.00
[MINED108] `self._is_text_node` used but never assigned in __init__: Method `__getitem__` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-leve…MINED108
self.attribute used but never assigned in __init__
CWE-476
scrapling/parser.py:186
· conf 1.00
[MINED108] `self.attrib` used but never assigned in __init__: Method `__getitem__` of class `Selector` reads `self.attrib`, but no assignment to it exists in __init__ (and no class-level fallback). T…MINED108
self.attribute used but never assigned in __init__
CWE-476
scrapling/parser.py:189
· conf 1.00
[MINED108] `self._is_text_node` used but never assigned in __init__: Method `__contains__` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-lev…MINED108
self.attribute used but never assigned in __init__
CWE-476
scrapling/parser.py:191
· conf 1.00
[MINED108] `self.attrib` used but never assigned in __init__: Method `__contains__` of class `Selector` reads `self.attrib`, but no assignment to it exists in __init__ (and no class-level fallback). …MINED108
self.attribute used but never assigned in __init__
CWE-476
scrapling/parser.py:248
· conf 1.00
[MINED108] `self.__elements_convertor` used but never assigned in __init__: Method `__handle_elements` of class `Selector` reads `self.__elements_convertor`, but no assignment to it exists in __init_…MINED108
self.attribute used but never assigned in __init__
CWE-476
scrapling/parser.py:262
· conf 1.00
[MINED108] `self._is_text_node` used but never assigned in __init__: Method `tag` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-level fallba…MINED108
self.attribute used but never assigned in __init__
CWE-476
scrapling/parser.py:271
· conf 1.00
[MINED108] `self._is_text_node` used but never assigned in __init__: Method `text` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-level fallb…MINED108
self.attribute used but never assigned in __init__
CWE-476
scrapling/parser.py:298
· conf 1.00
[MINED108] `self._is_text_node` used but never assigned in __init__: Method `get_all_text` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-lev…MINED108
self.attribute used but never assigned in __init__
CWE-476
scrapling/parser.py:338
· conf 1.00
[MINED108] `self._is_text_node` used but never assigned in __init__: Method `attrib` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-level fal…MINED108
self.attribute used but never assigned in __init__
CWE-476
scrapling/parser.py:347
· conf 1.00
[MINED108] `self._is_text_node` used but never assigned in __init__: Method `html_content` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-lev…MINED108
self.attribute used but never assigned in __init__
CWE-476
scrapling/parser.py:357
· conf 1.00
[MINED108] `self._is_text_node` used but never assigned in __init__: Method `body` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-level fallb…MINED108
self.attribute used but never assigned in __init__
CWE-476
scrapling/parser.py:363
· conf 1.00
[MINED108] `self._is_text_node` used but never assigned in __init__: Method `prettify` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-level f…MINED108
self.attribute used but never assigned in __init__
CWE-476
scrapling/parser.py:381
· conf 1.00
[MINED108] `self._is_text_node` used but never assigned in __init__: Method `has_class` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-level …MINED108
self.attribute used but never assigned in __init__
CWE-476
scrapling/parser.py:389
· conf 1.00
[MINED108] `self.__element_convertor` used but never assigned in __init__: Method `parent` of class `Selector` reads `self.__element_convertor`, but no assignment to it exists in __init__ (and no cla…MINED108
self.attribute used but never assigned in __init__
CWE-476
scrapling/parser.py:394
· conf 1.00
[MINED108] `self._is_text_node` used but never assigned in __init__: Method `below_elements` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-l…MINED108
self.attribute used but never assigned in __init__
CWE-476
scrapling/parser.py:397
· conf 1.00
[MINED108] `self.__elements_convertor` used but never assigned in __init__: Method `below_elements` of class `Selector` reads `self.__elements_convertor`, but no assignment to it exists in __init__ (…MINED108
self.attribute used but never assigned in __init__
CWE-476
scrapling/parser.py:402
· conf 1.00
[MINED108] `self._is_text_node` used but never assigned in __init__: Method `children` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-level f…MINED108
self.attribute used but never assigned in __init__
CWE-476
scrapling/parser.py:405
· conf 1.00
[MINED108] `self.__element_convertor` used but never assigned in __init__: Method `children` of class `Selector` reads `self.__element_convertor`, but no assignment to it exists in __init__ (and no c…MINED108
self.attribute used but never assigned in __init__
CWE-476
scrapling/parser.py:413
· conf 1.00
[MINED108] `self.parent` used but never assigned in __init__: Method `siblings` of class `Selector` reads `self.parent`, but no assignment to it exists in __init__ (and no class-level fallback). This…MINED108
self.attribute used but never assigned in __init__
CWE-476
scrapling/parser.py:414
· conf 1.00
[MINED108] `self.parent` used but never assigned in __init__: Method `siblings` of class `Selector` reads `self.parent`, but no assignment to it exists in __init__ (and no class-level fallback). This…MINED108
self.attribute used but never assigned in __init__
CWE-476
scrapling/parser.py:419
· conf 1.00
[MINED108] `self._is_text_node` used but never assigned in __init__: Method `iterancestors` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-le…MINED108
self.attribute used but never assigned in __init__
CWE-476
scrapling/parser.py:422
· conf 1.00
[MINED108] `self.__element_convertor` used but never assigned in __init__: Method `iterancestors` of class `Selector` reads `self.__element_convertor`, but no assignment to it exists in __init__ (and…MINED108
self.attribute used but never assigned in __init__
CWE-476
scrapling/parser.py:429
· conf 1.00
[MINED108] `self.iterancestors` used but never assigned in __init__: Method `find_ancestor` of class `Selector` reads `self.iterancestors`, but no assignment to it exists in __init__ (and no class-le…MINED108
self.attribute used but never assigned in __init__
CWE-476
scrapling/parser.py:437
· conf 1.00
[MINED108] `self.iterancestors` used but never assigned in __init__: Method `path` of class `Selector` reads `self.iterancestors`, but no assignment to it exists in __init__ (and no class-level fallb…MINED108
self.attribute used but never assigned in __init__
CWE-476
scrapling/parser.py:443
· conf 1.00
[MINED108] `self._is_text_node` used but never assigned in __init__: Method `next` of class `Selector` reads `self._is_text_node`, but no assignment to it exists in __init__ (and no class-level fallb…MINED110
Blocking call inside async function
CWE-833
tests/spiders/test_scheduler.py:222
· conf 1.00
[MINED110] Blocking call `requests.append` inside async function `test_snapshot_returns_copies`: `requests.append` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the e…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/code-quality.yml:46
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/code-quality.yml:51
· conf 0.90
[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/code-quality.yml:186
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v6`: `uses: actions/upload-artifact@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docker-build.yml:28
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-and-publish.yml:21
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-and-publish.yml:30
· conf 0.90
[MINED115] Action `actions/github-script` pinned to mutable ref `@v8`: `uses: actions/github-script@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that mad…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-and-publish.yml:49
· conf 0.90
[MINED115] Action `softprops/action-gh-release` pinned to mutable ref `@v2`: `uses: softprops/action-gh-release@v2` resolves at workflow-run time. Tags and branches can be re-pushed by the action own…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-and-publish.yml:60
· conf 0.90
[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release-and-publish.yml:74
· conf 0.90
[MINED115] Action `pypa/gh-action-pypi-publish` pinned to mutable ref `@release/v1`: `uses: pypa/gh-action-pypi-publish@release/v1` resolves at workflow-run time. Tags and branches can be re-pushed b…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/tests.yml:62
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/tests.yml:65
· conf 0.90
[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/tests.yml:87
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/tests.yml:110
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Dockerfile:1
· conf 0.90
[MINED118] Dockerfile FROM `python:3.12-slim-trixie` not pinned by digest: `FROM python:3.12-slim-trixie` resolves the tag at build time. The registry CAN re-push a different image for the same tag, …MINED131
pre-commit hook pinned to branch/tag instead of SHA
CWE-829
.pre-commit-config.yaml:2
· conf 0.90
[MINED131] pre-commit hook `https://github.com/PyCQA/bandit` pinned to mutable rev `1.9.0`: `.pre-commit-config.yaml` references `https://github.com/PyCQA/bandit` at `rev: 1.9.0`. If `{rev}` is a bra…MINED131
pre-commit hook pinned to branch/tag instead of SHA
CWE-829
.pre-commit-config.yaml:16
· conf 0.90
[MINED131] pre-commit hook `https://github.com/netromdk/vermin` pinned to mutable rev `v1.7.0`: `.pre-commit-config.yaml` references `https://github.com/netromdk/vermin` at `rev: v1.7.0`. If `{rev}` …SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
scrapling/core/storage.py:24
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
scrapling/engines/_browsers/_validators.py:42
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
scrapling/spiders/links.py:249
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC078
Python: requests without timeout
benchmarks.py:138
· conf 1.00
[SEC078] Python: requests without timeout: requests.get/post without a timeout will hang indefinitely on a non-responsive server, causing thread exhaustion and ReDoS. Ported from bandit B113 (Apache-…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
scrapling/engines/_browsers/_validators.py:209
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
scrapling/spiders/request.py:163
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…AGT012
Agent control bridge may listen on a network interface without visible auth
scrapling/cli.py:153
· conf 0.72
Agent control bridge may listen on a network interface without visible authDKR001
Docker final stage has no non-root USER
Dockerfile:1
· conf 0.82
Docker final stage has no non-root USERDKR009
Dockerfile separates apt update from install
Dockerfile:24
· conf 0.86
Dockerfile separates apt update from installDKR014
Dockerfile copies the entire context without .dockerignore
Dockerfile:21
· conf 0.76
Dockerfile copies broad context with incomplete .dockerignoreMINED111
Bare except continues silently
cleanup.py:29
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
cleanup.py:37
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
scrapling/core/ai.py:307
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
scrapling/core/shell.py:363
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
scrapling/spiders/engine.py:210
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
tests/core/test_storage_core.py:213
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED124
requirements.txt entry has no version pin
CWE-1357
docs/requirements.txt:8
· conf 0.90
[MINED124] requirements.txt: `pngquant` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats…MINED124
requirements.txt entry has no version pin
CWE-1357
tests/requirements.txt:2
· conf 0.90
[MINED124] requirements.txt: `pytest-cov` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosqua…MINED124
requirements.txt entry has no version pin
CWE-1357
tests/requirements.txt:4
· conf 0.90
[MINED124] requirements.txt: `werkzeug<3.0.0` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typo…MINED124
requirements.txt entry has no version pin
CWE-1357
tests/requirements.txt:6
· conf 0.90
[MINED124] requirements.txt: `pytest-asyncio` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typo…MINED124
requirements.txt entry has no version pin
CWE-1357
tests/requirements.txt:8
· conf 0.90
[MINED124] requirements.txt: `pytest-xdist` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosq…SEC007
Unsafe Deserialization
scrapling/spiders/checkpoint.py:74
· conf 1.00
[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.AIC003
Duplicated implementation block across source files
scrapling/engines/_browsers/_stealth.py:19
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scrapling/fetchers/stealth_chrome.py:20
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scrapling/fetchers/stealth_chrome.py:22
· conf 0.86
Duplicated implementation block across source filesCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
cleanup.py:6
· conf 0.95
[COMP001] High cognitive complexity: Function `clean` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branch…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
scrapling/core/translator.py:36
· conf 0.95
[COMP001] High cognitive complexity: Function `__str__` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested bran…DKR008
.dockerignore misses sensitive defaults
.dockerignore
· conf 0.72
.dockerignore misses sensitive defaultsCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
[COMP001] High cognitive complexity (and 15 more): Same pattern found in 15 additional files. Review if needed.MINED043
Http Not Https
CWE-319
scrapling/engines/toolbelt/proxy_rotation.py:60
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED050
Stub Only Function
CWE-1188
[MINED050] Stub Only Function (and 1 more): Same pattern found in 1 additional files. Review if needed.MINED050
Stub Only Function
CWE-1188
scrapling/core/storage.py:49
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
scrapling/core/translator.py:74
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
scrapling/engines/toolbelt/custom.py:179
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED062
Python Dataclass No Fields
[MINED062] Python Dataclass No Fields (and 3 more): Same pattern found in 3 additional files. Review if needed.MINED062
Python Dataclass No Fields
scrapling/engines/_browsers/_page.py:13
· conf 1.00
[MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.MINED062
Python Dataclass No Fields
scrapling/engines/_browsers/_validators.py:158
· conf 1.00
[MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.MINED062
Python Dataclass No Fields
scrapling/spiders/checkpoint.py:15
· conf 1.00
[MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.MINED067
Python Requests No Timeout
CWE-400
benchmarks.py:138
· conf 1.00
[MINED067] Python Requests No Timeout: requests.get/post/etc. without timeout= can hang forever.SEC020
Secret Printed to Logs
scrapling/core/utils/_utils.py:58
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/a5c84e5c-c138-49af-9b50-4766d4aaf498/.