← Legacy view v2 (rp.*)

hiram-wong/zyfun

https://github.com/Hiram-Wong/zyfun · lang: typescript · LOC: · source: user_submitted

Quality
68.2
Grade B-
Security
92.2
Findings
9
0 critical · 0 high
Status
completed
May 15, 2026 11:07
info: 4 low: 3 medium: 2
Top rules by occurrence
RuleSeverityCount
SEC006 XSS Risk high 4
SEC015 Insecure Randomness for Security medium 3
SEC020 Secret Printed to Logs high 1
SEC007 Unsafe Deserialization medium 1
First 9 findings (severity-sorted)
medium SEC007 Unsafe Deserialization
scripts/before-pack.js:45 · conf 1.00 
[SEC007] Unsafe Deserialization: Unsafe deserialization can execute arbitrary code.
medium SEC015 Insecure Randomness for Security
src/main/services/FastifyService/routes/v1/film/cms/index.ts:376 · conf 1.00 
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.
low SEC006 XSS Risk
src/renderer/src/components/multi-player/src/core/nplayer/plugins/pip.ts:29 · conf 0.40 
[SEC006] XSS Risk: Direct HTML injection without sanitization.
low SEC006 XSS Risk
src/renderer/src/components/multi-player/src/core/nplayer/plugins/playNext.ts:32 · conf 0.40 
[SEC006] XSS Risk: Direct HTML injection without sanitization.
low SEC006 XSS Risk
src/renderer/src/components/multi-player/src/core/xgplayer/utils/index.ts:13 · conf 0.40 
[SEC006] XSS Risk: Direct HTML injection without sanitization.
info SEC006 XSS Risk
· conf 0.20 
[SEC006] XSS Risk (and 4 more): Same pattern found in 4 additional files. Review if needed.
info SEC015 Insecure Randomness for Security
packages/crypto/src/core/base.ts:36 · conf 0.25 
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.
info SEC015 Insecure Randomness for Security
src/main/services/FastifyService/routes/v1/parse/analyze.ts:221 · conf 0.25 
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.
info SEC020 Secret Printed to Logs
src/main/services/AppUpdater.ts:158 · conf 0.15 
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…

Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/bc0df726-1cce-4ae1-a3ff-52b6c4f38ae7/.