https://github.com/Gitlawb/openclaude ·
lang: typescript ·
LOC: ·
source: both
| Rule | Severity | Count |
|---|---|---|
MINED108 self.attribute used but never assigned in __init__ |
high | 10 |
MINED054 Ts As Any |
info | 4 |
SEC045 eval()/exec() on stored or user-supplied data |
medium | 4 |
SEC085 JS: child_process.exec with non-literal |
high | 4 |
MINED043 Http Not Https |
info | 4 |
MINED045 Ts Non Null Assertion |
info | 4 |
MINED044 Js Console Log Prod |
info | 4 |
SEC040 innerHTML XSS — template literal with server-supplied data |
high | 4 |
ERR002 [ERR002] Empty Catch Block: Empty catch blocks hide errors. |
medium | 4 |
MINED056 React Key As Index |
info | 4 |
COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
python/ollama_provider.py:64
· conf 0.95
[COMP001] High cognitive complexity: Function `anthropic_to_ollama_messages` has cognitive complexity 36 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to und…JRN004
Consent is collected in UI without visible backend audit persistence
src/screens/REPL.tsx:3251
· conf 0.78
Consent is collected in UI without visible backend audit persistenceMINED004
Weak Crypto
CWE-327
src/services/settingsSync/types.ts:30
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED106
Phantom test coverage (assertion-free test)
CWE-1126
python/tests/test_smart_router.py:167
· conf 1.00
[MINED106] Phantom test coverage: test_route_raises_when_no_providers: Test function `test_route_raises_when_no_providers` runs code but contains no assert / expect / should call — it passes regardle…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/smart_router.py:62
· conf 1.00
[MINED108] `self.api_key` used but never assigned in __init__: Method `is_configured` of class `Provider` reads `self.api_key`, but no assignment to it exists in __init__ (and no class-level fallback…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/smart_router.py:75
· conf 1.00
[MINED108] `self.is_configured` used but never assigned in __init__: Method `score` of class `Provider` reads `self.is_configured`, but no assignment to it exists in __init__ (and no class-level fall…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/smart_router.py:80
· conf 1.00
[MINED108] `self.error_rate` used but never assigned in __init__: Method `score` of class `Provider` reads `self.error_rate`, but no assignment to it exists in __init__ (and no class-level fallback).…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/smart_router.py:171
· conf 1.00
[MINED108] `self._ping_provider` used but never assigned in __init__: Method `initialize` of class `SmartRouter` reads `self._ping_provider`, but no assignment to it exists in __init__ (and no class-…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/smart_router.py:288
· conf 1.00
[MINED108] `self.initialize` used but never assigned in __init__: Method `route` of class `SmartRouter` reads `self.initialize`, but no assignment to it exists in __init__ (and no class-level fallbac…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/smart_router.py:291
· conf 1.00
[MINED108] `self.is_large_request` used but never assigned in __init__: Method `route` of class `SmartRouter` reads `self.is_large_request`, but no assignment to it exists in __init__ (and no class-l…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/smart_router.py:305
· conf 1.00
[MINED108] `self.get_model_for_provider` used but never assigned in __init__: Method `route` of class `SmartRouter` reads `self.get_model_for_provider`, but no assignment to it exists in __init__ (an…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/smart_router.py:341
· conf 1.00
[MINED108] `self._update_latency` used but never assigned in __init__: Method `record_result` of class `SmartRouter` reads `self._update_latency`, but no assignment to it exists in __init__ (and no c…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/smart_router.py:354
· conf 1.00
[MINED108] `self._recheck_provider` used but never assigned in __init__: Method `record_result` of class `SmartRouter` reads `self._recheck_provider`, but no assignment to it exists in __init__ (and …MINED108
self.attribute used but never assigned in __init__
CWE-476
python/smart_router.py:361
· conf 1.00
[MINED108] `self._ping_provider` used but never assigned in __init__: Method `_recheck_provider` of class `SmartRouter` reads `self._ping_provider`, but no assignment to it exists in __init__ (and no…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Dockerfile:2
· conf 0.90
[MINED118] Dockerfile FROM `node:22-slim` not pinned by digest: `FROM node:22-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is pote…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Dockerfile:31
· conf 0.90
[MINED118] Dockerfile FROM `node:22-slim` not pinned by digest: `FROM node:22-slim` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is pote…SEC018
AI-Agent Secret Retrieval Command
src/utils/secureStorage/macOsKeychainStorage.ts:40
· conf 1.00
[SEC018] AI-Agent Secret Retrieval Command: A command that prints or embeds credentials was committed. AI coding agents often add these commands while trying to help with setup or deployment, but the…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
python/atomic_chat_provider.py:26
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
scripts/pr-intent-scan.ts:156
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
src/bridge/bridgeStatusUtil.ts:39
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC040
innerHTML XSS — template literal with server-supplied data
scripts/render-coverage-heatmap.ts:197
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
src/components/LogoPicker.tsx:26
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
src/components/permissions/hooks.ts:80
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC083
JS: new RegExp() with non-literal
scripts/no-telemetry-plugin.ts:130
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC083
JS: new RegExp() with non-literal
src/services/teamMemorySync/secretScanner.ts:233
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC083
JS: new RegExp() with non-literal
src/tools/BashTool/sedEditParser.ts:314
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC085
JS: child_process.exec with non-literal
scripts/pr-intent-scan.ts:123
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
src/buddy/useBuddyNotification.tsx:90
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
src/components/GlobalSearchDialog.tsx:332
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC128
Async function without await — fire-and-forget Promise (AI mistake)
src/bridge/jwtUtils.ts:209
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
src/bridge/trustedDevice.ts:81
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
src/commands/logout/logout.tsx:22
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…AGT006
React interval is created without an explicit cleanup
src/cli/print.ts:549
· conf 0.78
React interval is created without an explicit cleanupAGT006
React interval is created without an explicit cleanup
src/components/Spinner/useShimmerAnimation.ts:13
· conf 0.78
React interval is created without an explicit cleanupCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
python/atomic_chat_provider.py:94
· conf 0.95
[COMP001] High cognitive complexity: Function `atomic_chat_stream` has cognitive complexity 16 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — …ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
src/bridge/replBridgeHandle.ts:22
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
src/commands/rename/rename.ts:71
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.ERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
src/components/Onboarding.tsx:167
· conf 1.00
[ERR002] Empty Catch Block: Empty catch blocks hide errors.MINED111
Bare except continues silently
python/atomic_chat_provider.py:35
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/ollama_provider.py:30
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.SEC001
Hardcoded Password
src/utils/urlRedaction.ts:36
· conf 0.30
[SEC001] Hardcoded Password: Hardcoded password found in source code.SEC031
Catastrophic Backtracking Regex (ReDoS)
src/tools/shared/gitOperationTracking.ts:23
· conf 1.00
[SEC031] Catastrophic Backtracking Regex (ReDoS): Regex contains nested quantifiers like `(a+)+` or quantified alternation with overlapping branches. On adversarial input these patterns exhibit expon…SEC045
eval()/exec() on stored or user-supplied data
scripts/pr-intent-scan.ts:123
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
src/buddy/useBuddyNotification.tsx:90
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
src/components/GlobalSearchDialog.tsx:332
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC134
AI scaffold leftover — Lorem ipsum / example.com / John Doe in code
src/utils/mcp/elicitationValidation.ts:24
· conf 1.00
[SEC134] AI scaffold leftover — Lorem ipsum / example.com / John Doe in code: Lorem ipsum / John Doe / example.com left in non-test code. AI agents emit these as 'reasonable defaults' when they don't…SEC136
AI-typical over-broad exception handler swallowing all errors
src/utils/storage/SQLiteProvider.ts:257
· conf 1.00
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…WEB003
Public web service has no security.txt
.well-known/security.txt
· conf 0.78
Public web service has no security.txtWEB015
Public web app has no Content Security Policy
index.html
· conf 0.70
Public web app has no Content Security PolicyCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
python/ollama_provider.py:130
· conf 0.95
[COMP001] High cognitive complexity: Function `ollama_chat_stream` has cognitive complexity 13 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — …DKR008
.dockerignore misses sensitive defaults
.dockerignore
· conf 0.72
.dockerignore misses sensitive defaultsSEC132
String concat where the language has interpolation (AI style drift)
src/cli/handlers/autoMode.ts:125
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…WEB001
Public web app has no robots.txt
robots.txt
· conf 0.74
Public web app has no robots.txtWEB002
Public web app has no sitemap
sitemap.xml
· conf 0.72
Public web app has no sitemapWEB008
Public docs site has no llms.txt
llms.txt
· conf 0.64
Public docs site has no llms.txtWEB011
Public web app has no humans.txt
humans.txt
· conf 0.50
Public web app has no humans.txtERR002
[ERR002] Empty Catch Block: Empty catch blocks hide errors.
[ERR002] Empty Catch Block (and 11 more): Same pattern found in 11 additional files. Review if needed.MINED043
Http Not Https
CWE-319
[MINED043] Http Not Https (and 7 more): Same pattern found in 7 additional files. Review if needed.MINED043
Http Not Https
CWE-319
src/commands/mcp/addCommand.ts:129
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
src/commands/plugin/parseArgs.ts:46
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
src/services/api/codexOAuthShared.ts:67
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 25 more): Same pattern found in 25 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
scripts/generate-integrations-artifacts.ts:8
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
scripts/grpc-cli.ts:49
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
scripts/no-telemetry-plugin.ts:138
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
[MINED045] Ts Non Null Assertion (and 99 more): Same pattern found in 99 additional files. Review if needed.MINED045
Ts Non Null Assertion
CWE-476
scripts/grpc-cli.ts:107
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
scripts/provider-launch.ts:196
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
src/bridge/bridgeEnabled.ts:81
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED049
Print Pii
CWE-532
scripts/provider-recommend.ts:254
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED052
Ts Any Typed
CWE-704
[MINED052] Ts Any Typed (and 13 more): Same pattern found in 13 additional files. Review if needed.MINED052
Ts Any Typed
CWE-704
scripts/grpc-cli.ts:44
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
src/components/ClaudeMdExternalIncludesDialog.tsx:120
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
src/components/EffortPicker.tsx:37
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED054
Ts As Any
CWE-704
[MINED054] Ts As Any (and 1 more): Same pattern found in 1 additional files. Review if needed.MINED054
Ts As Any
CWE-704
scripts/grpc-cli.ts:16
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
src/entrypoints/mcp.ts:226
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
src/grpc/server.ts:22
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED055
Npm Install No Lockfile
CWE-1357
src/tools/TodoWriteTool/prompt.ts:129
· conf 1.00
[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.MINED056
React Key As Index
CWE-682
[MINED056] React Key As Index (and 38 more): Same pattern found in 38 additional files. Review if needed.MINED056
React Key As Index
CWE-682
src/buddy/CompanionSprite.tsx:70
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED056
React Key As Index
CWE-682
src/buddy/useBuddyNotification.tsx:41
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED056
React Key As Index
CWE-682
src/commands/install-github-app/CreatingStep.tsx:55
· conf 1.00
[MINED056] React Key As Index: key={index} in map() — re-renders the wrong elements on re-order.MINED065
Cors Wildcard
CWE-942CWE-346
src/services/api/xaiOAuthCallback.ts:94
· conf 1.00
[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints.SEC020
Secret Printed to Logs
scripts/provider-launch.ts:126
· conf 0.10
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
scripts/provider-recommend.ts:148
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 46 more): Same pattern found in 46 additional files. Review if needed.SEC040
innerHTML XSS — template literal with server-supplied data
[SEC040] innerHTML XSS — template literal with server-supplied data (and 9 more): Same pattern found in 9 additional files. Review if needed.SEC045
eval()/exec() on stored or user-supplied data
[SEC045] eval()/exec() on stored or user-supplied data (and 12 more): Same pattern found in 12 additional files. Review if needed.SEC083
JS: new RegExp() with non-literal
[SEC083] JS: new RegExp() with non-literal (and 3 more): Same pattern found in 3 additional files. Review if needed.SEC085
JS: child_process.exec with non-literal
[SEC085] JS: child_process.exec with non-literal (and 12 more): Same pattern found in 12 additional files. Review if needed.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
src/server/directConnectManager.ts:180
· conf 0.10
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 42 more): Same pattern found in 42 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/a75ab839-80fb-497b-bd17-48a725fff0cb/.