← Legacy view v2 (rp.*)

palm1r/qodeassist

https://github.com/Palm1r/QodeAssist · lang: cpp · LOC: · source: user_submitted

Quality
58.9
Grade C
Security
90.0
Findings
45
0 critical · 5 high
Status
completed
May 31, 2026 01:22
low: 30 info: 7 high: 5 medium: 3
Top rules by occurrence
RuleSeverityCount
AIC003 Duplicated implementation block across source files low 30
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… high 4
MINED042 Cpp New Without Delete info 4
SEC045 eval()/exec() on stored or user-supplied data medium 3
SEC085 JS: child_process.exec with non-literal high 1
MINED043 Http Not Https info 1
SEC013 Path Traversal — User Input in File Path high 1
MINED044 Js Console Log Prod info 1
First 45 findings (severity-sorted)
high SEC013 Path Traversal — User Input in File Path
LLMClientInterface.hpp:63 · conf 0.80 
[SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.
high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
ChatView/ChatCompressor.cpp:79 · conf 1.00 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…
high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
ChatView/ChatHistoryStore.cpp:186 · conf 1.00 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…
high SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
ChatView/FileItem.cpp:39 · conf 1.00 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…
high SEC085 JS: child_process.exec with non-literal
UpdateStatusWidget.cpp:68 · conf 1.00 
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).
medium SEC045 eval()/exec() on stored or user-supplied data
settings/AgentRolesWidget.cpp:110 · conf 1.00 
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …
medium SEC045 eval()/exec() on stored or user-supplied data
settings/SettingsUtils.hpp:36 · conf 1.00 
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …
medium SEC045 eval()/exec() on stored or user-supplied data
UpdateStatusWidget.cpp:68 · conf 1.00 
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …
low AIC003 Duplicated implementation block across source files
LLMClientInterface.cpp:95 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/DeepSeekProvider.cpp:37 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/DeepSeekProvider.hpp:7 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/GoogleAIProvider.cpp:21 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/GoogleAIProvider.hpp:7 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/LlamaCppProvider.cpp:21 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/LlamaCppProvider.cpp:23 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/LlamaCppProvider.cpp:26 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/LlamaCppProvider.hpp:7 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/LMStudioProvider.cpp:37 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/LMStudioProvider.cpp:39 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/LMStudioProvider.hpp:7 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/LMStudioResponsesProvider.cpp:21 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/LMStudioResponsesProvider.hpp:7 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/LMStudioResponsesProvider.hpp:10 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/MistralAIProvider.cpp:37 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/MistralAIProvider.cpp:39 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/MistralAIProvider.cpp:42 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/MistralAIProvider.hpp:7 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/OllamaCompatProvider.cpp:21 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/OllamaCompatProvider.cpp:23 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/OllamaCompatProvider.cpp:26 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/OllamaCompatProvider.hpp:7 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/OllamaCompatProvider.hpp:10 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/OllamaProvider.hpp:7 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/OpenAICompatProvider.cpp:21 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/OpenAICompatProvider.cpp:23 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/OpenAICompatProvider.cpp:26 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/OpenAICompatProvider.cpp:44 · conf 0.86 
Duplicated implementation block across source files
low AIC003 Duplicated implementation block across source files
providers/OpenAICompatProvider.hpp:7 · conf 0.86 
Duplicated implementation block across source files
info MINED042 Cpp New Without Delete CWE-401
· conf 0.20 
[MINED042] Cpp New Without Delete (and 47 more): Same pattern found in 47 additional files. Review if needed.
info MINED042 Cpp New Without Delete CWE-401
ChatView/ChatHistoryStore.cpp:121 · conf 1.00 
[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak risk.
info MINED042 Cpp New Without Delete CWE-401
ChatView/ChatView.cpp:82 · conf 1.00 
[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak risk.
info MINED042 Cpp New Without Delete CWE-401
RefactorSuggestionHoverHandler.cpp:100 · conf 1.00 
[MINED042] Cpp New Without Delete: C++ raw new without RAII / unique_ptr — memory leak risk.
info MINED043 Http Not Https CWE-319
sources/providersConfig/ProviderInstance.cpp:43 · conf 1.00 
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.
info MINED044 Js Console Log Prod CWE-532
.github/scripts/registerPlugin.js:95 · conf 1.00 
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.
info SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from user input
· conf 0.20 
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 23 more): Same pattern found in 23 additional files. Review if needed.

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/aeaea856-35f0-42df-ab0d-ac0223210dfd/.