https://github.com/headlesshq/headlessmc ·
lang: java ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 25 |
MINED118 Dockerfile FROM not pinned by sha256 digest |
high | 8 |
SEC132 String concat where the language has interpolation (AI styl… |
low | 4 |
MINED116 GHA pull_request workflow leaks secrets to forks |
critical | 4 |
MINED004 Weak Crypto |
high | 4 |
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… |
high | 4 |
SEC128 Async function without await — fire-and-forget Promise (AI … |
high | 4 |
MINED083 Java Thread Start |
info | 4 |
SEC118 UUIDv1 / UUIDv3 used for security-sensitive identifier |
low | 3 |
MINED042 Cpp New Without Delete |
info | 3 |
MINED018
Unsafe Deserialization Pickle
CWE-502
headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/mods/files/PaperModFileReader.java:35
· conf 1.00
[MINED018] Unsafe Deserialization Pickle: pickle.loads / yaml.load (without Loader=SafeLoader) / unmarshal of network/file data — RCE.MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/lifecycle.yml:683
· conf 0.90
[MINED116] Workflow uses `secrets.DOCKERHUB_USERNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_USERNA…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/lifecycle.yml:684
· conf 0.90
[MINED116] Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_TOKEN }` …MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/lifecycle.yml:746
· conf 0.90
[MINED116] Workflow uses `secrets.DOCKERHUB_USERNAME` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_USERNA…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/lifecycle.yml:747
· conf 0.90
[MINED116] Workflow uses `secrets.DOCKERHUB_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.DOCKERHUB_TOKEN }` …SEC079
Python: yaml.load without SafeLoader
headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/mods/files/PaperModFileReader.java:35
· conf 1.00
[SEC079] Python: yaml.load without SafeLoader: yaml.load() without explicit SafeLoader can execute arbitrary Python objects (CVE-2017-18342). Ported from bandit B506 / dlint DUO109 (Apache-2.0 / BSD-…SEC116
Ruby YAML.load / Marshal.load on untrusted input
headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/mods/files/PaperModFileReader.java:35
· conf 1.00
[SEC116] Ruby YAML.load / Marshal.load on untrusted input: `YAML.load` (pre-3.1) and `Marshal.load` instantiate arbitrary Ruby classes — direct RCE on untrusted input. `unsafe_load` is even more dang…DKR014
Dockerfile copies the entire context without .dockerignore
Dockerfile:5
· conf 0.92
Dockerfile copies the entire context without .dockerignoreMINED004
Weak Crypto
CWE-327
headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/mods/modrinth/ModrinthFile.java:21
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED004
Weak Crypto
CWE-327
headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/version/LibraryFactory.java:52
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED004
Weak Crypto
CWE-327
headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/version/LibraryImpl.java:22
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED011
Scala Get On Option
CWE-476
buildSrc/src/main/groovy/io/github/headlesshq/headlessmc/gradle/Extension2ClassWriterAdapter.groovy:15
· conf 1.00
[MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match.MINED011
Scala Get On Option
CWE-476
buildSrc/src/main/groovy/io/github/headlesshq/headlessmc/gradle/GenerateModuleTask.groovy:14
· conf 1.00
[MINED011] Scala Get On Option: Option.get throws NoSuchElementException on None. Use getOrElse / fold / match.MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/build-runtime-test.yml:41
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/build-runtime-test.yml:52
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/build-runtime-test.yml:59
· conf 0.90
[MINED115] Action `actions/setup-java` pinned to mutable ref `@v5`: `uses: actions/setup-java@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/build-runtime-test.yml:66
· conf 0.90
[MINED115] Action `gradle/actions/setup-gradle` pinned to mutable ref `@v5`: `uses: gradle/actions/setup-gradle@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action own…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/build-runtime-test.yml:84
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/lifecycle.yml:31
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/lifecycle.yml:32
· conf 0.90
[MINED115] Action `actions/setup-java` pinned to mutable ref `@v5`: `uses: actions/setup-java@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/lifecycle.yml:50
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/lifecycle.yml:61
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/lifecycle.yml:62
· conf 0.90
[MINED115] Action `actions/setup-java` pinned to mutable ref `@v5`: `uses: actions/setup-java@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/lifecycle.yml:75
· conf 0.90
[MINED115] Action `madrapps/jacoco-report` pinned to mutable ref `@v1.7.2`: `uses: madrapps/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/lifecycle.yml:125
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/lifecycle.yml:143
· conf 0.90
[MINED115] Action `actions/setup-python` pinned to mutable ref `@v6`: `uses: actions/setup-python@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/lifecycle.yml:148
· conf 0.90
[MINED115] Action `actions/cache` pinned to mutable ref `@v5`: `uses: actions/cache@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-actions…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/lifecycle.yml:182
· conf 0.90
[MINED115] Action `actions/upload-pages-artifact` pinned to mutable ref `@v4.0.0`: `uses: actions/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by th…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/lifecycle.yml:196
· conf 0.90
[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/lifecycle.yml:204
· conf 0.90
[MINED115] Action `actions/deploy-pages` pinned to mutable ref `@v4`: `uses: actions/deploy-pages@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/lifecycle.yml:216
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/lifecycle.yml:217
· conf 0.90
[MINED115] Action `graalvm/setup-graalvm` pinned to mutable ref `@v1`: `uses: graalvm/setup-graalvm@v1` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that mad…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/run-matrix-in-memory.yml:17
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v6`: `uses: actions/checkout@v6` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/run-matrix-in-memory.yml:18
· conf 0.90
[MINED115] Action `actions/setup-java` pinned to mutable ref `@v5`: `uses: actions/setup-java@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/run-matrix-in-memory.yml:40
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v7`: `uses: actions/upload-artifact@v7` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/run-matrix-in-memory.yml:102
· conf 0.90
[MINED115] Action `actions/setup-java` pinned to mutable ref `@v5`: `uses: actions/setup-java@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/run-matrix-in-memory.yml:106
· conf 0.90
[MINED115] Action `actions/download-artifact` pinned to mutable ref `@v8`: `uses: actions/download-artifact@v8` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/run-matrix-in-memory.yml:113
· conf 0.90
[MINED115] Action `headlesshq/mc-runtime-test` pinned to mutable ref `@4.1.0`: `uses: headlesshq/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by the action…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Dockerfile:3
· conf 0.90
[MINED118] Dockerfile FROM `eclipse-temurin:21-jdk-noble` not pinned by digest: `FROM eclipse-temurin:21-jdk-noble` resolves the tag at build time. The registry CAN re-push a different image for the …MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Dockerfile:14
· conf 0.90
[MINED118] Dockerfile FROM `eclipse-temurin:8-jre-noble` not pinned by digest: `FROM eclipse-temurin:8-jre-noble` resolves the tag at build time. The registry CAN re-push a different image for the sa…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Dockerfile:16
· conf 0.90
[MINED118] Dockerfile FROM `eclipse-temurin:17-jre-noble` not pinned by digest: `FROM eclipse-temurin:17-jre-noble` resolves the tag at build time. The registry CAN re-push a different image for the …MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Dockerfile:17
· conf 0.90
[MINED118] Dockerfile FROM `eclipse-temurin:21-jre-noble` not pinned by digest: `FROM eclipse-temurin:21-jre-noble` resolves the tag at build time. The registry CAN re-push a different image for the …MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Fast.Dockerfile:6
· conf 0.90
[MINED118] Dockerfile FROM `eclipse-temurin:21-jdk-noble` not pinned by digest: `FROM eclipse-temurin:21-jdk-noble` resolves the tag at build time. The registry CAN re-push a different image for the …MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Fast.Dockerfile:10
· conf 0.90
[MINED118] Dockerfile FROM `eclipse-temurin:8-jre-noble` not pinned by digest: `FROM eclipse-temurin:8-jre-noble` resolves the tag at build time. The registry CAN re-push a different image for the sa…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Fast.Dockerfile:12
· conf 0.90
[MINED118] Dockerfile FROM `eclipse-temurin:17-jre-noble` not pinned by digest: `FROM eclipse-temurin:17-jre-noble` resolves the tag at build time. The registry CAN re-push a different image for the …MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
Fast.Dockerfile:13
· conf 0.90
[MINED118] Dockerfile FROM `eclipse-temurin:21-jre-noble` not pinned by digest: `FROM eclipse-temurin:21-jre-noble` resolves the tag at build time. The registry CAN re-push a different image for the …MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
gradle/wrapper/gradle-wrapper.jar:1
· conf 0.90
[MINED134] Binary file `gradle/wrapper/gradle-wrapper.jar` committed in source repo: `gradle/wrapper/gradle-wrapper.jar` is a .jar binary (43,764 bytes) committed to a repo that otherwise has 526 sou…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/command/download/VersionInfoUtil.java:27
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/command/forge/ForgeInstaller.java:128
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/command/SpecificsCommand.java:32
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
headlessmc-graalvm/src/main/java/io/github/headlesshq/headlessmc/graalvm/Main.java:84
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
headlessmc-java/src/main/java/io/github/headlesshq/headlessmc/java/download/TemurinDownloader.java:29
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/LauncherBuilder.java:195
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…DKR001
Docker final stage has no non-root USER
Dockerfile:17
· conf 0.82
Docker final stage has no non-root USERDKR007
Docker build context has no .dockerignore
.dockerignore
· conf 0.90
Docker build context has no .dockerignoreSEC007
Unsafe Deserialization
headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/mods/files/PaperModFileReader.java:35
· conf 1.00
[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.SEC012
ZipSlip — Archive Path Traversal
headlessmc-java/src/main/java/io/github/headlesshq/headlessmc/java/download/ArchiveExtractor.java:43
· conf 1.00
[SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory.SEC034
Log Injection / Log Forging — unsanitized user input in log
headlessmc-graalvm/src/main/java/io/github/headlesshq/headlessmc/graalvm/Main.java:115
· conf 1.00
[SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\n` to forge fake log entries, hide tra…AIC003
Duplicated implementation block across source files
headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/server/downloader/ForgeDownloader.java:43
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/server/downloader/ModLauncherCommandDownloader.java:29
· conf 0.86
Duplicated implementation block across source filesSEC132
String concat where the language has interpolation (AI style drift)
headlessmc-api/src/main/java/io/github/headlesshq/headlessmc/api/classloading/ApiClassloadingHelper.java:46
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…SEC132
String concat where the language has interpolation (AI style drift)
headlessmc-api/src/main/java/io/github/headlesshq/headlessmc/api/command/impl/MemoryCommand.java:39
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…SEC132
String concat where the language has interpolation (AI style drift)
headlessmc-auth/src/main/java/io/github/headlesshq/headlessmc/auth/AbstractLoginCommand.java:261
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…MINED004
Weak Crypto
CWE-327
[MINED004] Weak Crypto (and 3 more): Same pattern found in 3 additional files. Review if needed.MINED042
Cpp New Without Delete
CWE-401
buildSrc/src/main/groovy/io/github/headlesshq/headlessmc/gradle/Extension2ClassWriterAdapter.groovy:12
· conf 1.00
[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak risk.MINED042
Cpp New Without Delete
CWE-401
buildSrc/src/main/groovy/io/github/headlesshq/headlessmc/gradle/GenerateModuleTask.groovy:23
· conf 1.00
[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak risk.MINED042
Cpp New Without Delete
CWE-401
buildSrc/src/main/groovy/io/github/headlesshq/headlessmc/gradle/ModuleExtension.groovy:59
· conf 1.00
[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak risk.MINED064
Python Input Call
headlessmc-scripts/version.py:9
· conf 1.00
[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.MINED081
Java Printstacktrace
CWE-532
headlessmc-launcher-wrapper/src/main/java/io/github/headlesshq/headlessmc/wrapper/plugin/TransformingClassloader.java:72
· conf 1.00
[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr.MINED081
Java Printstacktrace
CWE-532
headlessmc-lwjgl/src/main/java/io/github/headlesshq/headlessmc/lwjgl/redirections/ObjectRedirection.java:46
· conf 1.00
[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr.MINED081
Java Printstacktrace
CWE-532
headlessmc-lwjgl/src/main/java/io/github/headlesshq/headlessmc/lwjgl/redirections/stb/STBImageRedirection.java:47
· conf 1.00
[MINED081] Java Printstacktrace: Should use logger, not stack trace to stderr.MINED083
Java Thread Start
CWE-664
[MINED083] Java Thread Start (and 1 more): Same pattern found in 1 additional files. Review if needed.MINED083
Java Thread Start
CWE-664
headlessmc-api/src/main/java/io/github/headlesshq/headlessmc/api/command/line/CommandLineReader.java:19
· conf 1.00
[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool.MINED083
Java Thread Start
CWE-664
headlessmc-auth/src/main/java/io/github/headlesshq/headlessmc/auth/AbstractLoginCommand.java:125
· conf 1.00
[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool.MINED083
Java Thread Start
CWE-664
headlessmc-graalvm/src/main/java/io/github/headlesshq/headlessmc/graalvm/Main.java:82
· conf 1.00
[MINED083] Java Thread Start: Raw thread creation. Should use ExecutorService for managed pool.MINED085
Java Systemexit
CWE-1075
headlessmc-graalvm/src/main/java/io/github/headlesshq/headlessmc/graalvm/Main.java:89
· conf 1.00
[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM.MINED085
Java Systemexit
CWE-1075
headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/command/AbstractLaunchProcessLifecycle.java:281
· conf 1.00
[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM.MINED085
Java Systemexit
CWE-1075
headlessmc-launcher-wrapper/src/main/java/io/github/headlesshq/headlessmc/wrapper/ProcessThread.java:34
· conf 1.00
[MINED085] Java Systemexit: System.exit() inside a library kills the whole JVM.SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 15 more): Same pattern found in 15 additional files. Review if needed.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/command/AbstractLaunchProcessLifecycle.java:56
· conf 0.10
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/command/FabricCommand.java:45
· conf 0.10
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.SEC118
UUIDv1 / UUIDv3 used for security-sensitive identifier
headlessmc-launcher/src/main/java/io/github/headlesshq/headlessmc/launcher/command/forge/ForgeCommand.java:95
· conf 0.10
[SEC118] UUIDv1 / UUIDv3 used for security-sensitive identifier: UUIDv1 encodes the MAC address and timestamp, making it predictable. Used as a session token or password-reset key, it's enumerable.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 5 more): Same pattern found in 5 additional files. Review if needed.SEC132
String concat where the language has interpolation (AI style drift)
[SEC132] String concat where the language has interpolation (AI style drift) (and 19 more): Same pattern found in 19 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/aacccc06-97b5-40f6-a398-8d90565325f3/.