https://github.com/astral-sh/uv ·
lang: rust ·
LOC: ·
source: both
| Rule | Severity | Count |
|---|---|---|
AIC003 Duplicated implementation block across source files |
low | 30 |
MINED108 self.attribute used but never assigned in __init__ |
high | 25 |
MINED116 GHA pull_request workflow leaks secrets to forks |
critical | 10 |
MINED126 GHA workflow container/services image unpinned |
high | 7 |
MINED134 [MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` c… |
high | 6 |
MINED106 Phantom test coverage (assertion-free test) |
high | 6 |
MINED068 Rust Unsafe Block |
info | 4 |
MINED003 Rust Unwrap In Prod |
high | 4 |
MINED059 Rust Expect In Prod |
info | 4 |
COMP001 [COMP001] High cognitive complexity: Function `load_yfinanc… |
low | 4 |
MINED013
Password In Url
CWE-200
crates/uv-configuration/src/proxy_url.rs:169
· conf 1.00
[MINED013] Password In Url: https://user:password@host — leaks creds via logs, referrer, error messages.MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/ci.yml:352
· conf 0.90
[MINED116] Workflow uses `secrets.GITLAB_TEST_PUBLISH_TRIGGER_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.G…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/ci.yml:353
· conf 0.90
[MINED116] Workflow uses `secrets.GITLAB_TEST_PUBLISH_ACCESS_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.GI…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/ci.yml:390
· conf 0.90
[MINED116] Workflow uses `secrets.UV_TEST_PUBLISH_KEYRING` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UV_TEST_PUB…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/ci.yml:396
· conf 0.90
[MINED116] Workflow uses `secrets.UV_TEST_PUBLISH_TEXT_STORE` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UV_TEST_…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/ci.yml:403
· conf 0.90
[MINED116] Workflow uses `secrets.UV_TEST_PUBLISH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UV_TEST_PUBLI…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/ci.yml:404
· conf 0.90
[MINED116] Workflow uses `secrets.UV_TEST_PUBLISH_PASSWORD` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UV_TEST_PU…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/ci.yml:405
· conf 0.90
[MINED116] Workflow uses `secrets.UV_TEST_PUBLISH_GITLAB_PAT` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UV_TEST_…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/ci.yml:406
· conf 0.90
[MINED116] Workflow uses `secrets.UV_TEST_PUBLISH_CODEBERG_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UV_T…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/ci.yml:407
· conf 0.90
[MINED116] Workflow uses `secrets.UV_TEST_PUBLISH_CLOUDSMITH_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UV…MINED116
GHA pull_request workflow leaks secrets to forks
CWE-829
.github/workflows/ci.yml:408
· conf 0.90
[MINED116] Workflow uses `secrets.UV_TEST_PUBLISH_PYX_TOKEN` on a `pull_request` trigger: This workflow triggers on `pull_request`, which checks out the FORK's code. Referencing `${ secrets.UV_TEST_P…SEC084
JS: require() with non-literal
crates/uv-requirements/src/source_tree.rs:212
· conf 1.00
[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules — equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0).DKR006
Dockerfile pipes a remote script into a shell
crates/uv-trampoline/Dockerfile:38
· conf 0.92
Dockerfile pipes a remote script into a shellMINED001
Bare Except Pass
CWE-755
.claude/hooks/post-edit-format.py:22
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED001
Bare Except Pass
CWE-755
crates/uv-virtualenv/src/_virtualenv.py:80
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED003
Rust Unwrap In Prod
CWE-755
crates/uv-auth/src/index.rs:136
· conf 1.00
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.MINED003
Rust Unwrap In Prod
CWE-755
crates/uv-auth/src/providers.rs:209
· conf 1.00
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.MINED003
Rust Unwrap In Prod
CWE-755
crates/uv-bench/benches/uv.rs:13
· conf 1.00
[MINED003] Rust Unwrap In Prod: .unwrap() panics if None/Err. Acceptable in tests; risky elsewhere.MINED004
Weak Crypto
CWE-327
crates/uv-extract/src/hash.rs:11
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED004
Weak Crypto
CWE-327
crates/uv-platform/src/cpuinfo.rs:71
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED006
Overcatch Baseexception
CWE-705
python/uv/__main__.py:43
· conf 1.00
[MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.MINED041
Rust Unimplemented Macro
CWE-1188
crates/uv-macros/src/lib.rs:32
· conf 1.00
[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs.MINED041
Rust Unimplemented Macro
CWE-1188
crates/uv-resolver/src/dependency_provider.rs:30
· conf 1.00
[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs.MINED041
Rust Unimplemented Macro
CWE-1188
crates/uv/src/commands/build_backend.rs:56
· conf 1.00
[MINED041] Rust Unimplemented Macro: unimplemented!() panics. Same as todo!() but conventionally used for trait stubs.MINED106
Phantom test coverage (assertion-free test)
CWE-1126
scripts/publish/test_publish.py:451
· conf 1.00
[MINED106] Phantom test coverage: test_fresh_upload: Test function `test_fresh_upload` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
scripts/publish/test_publish.py:506
· conf 1.00
[MINED106] Phantom test coverage: test_reupload_same_files: Test function `test_reupload_same_files` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
scripts/publish/test_publish.py:562
· conf 1.00
[MINED106] Phantom test coverage: test_reupload_with_check_url: Test function `test_reupload_with_check_url` runs code but contains no assert / expect / should call — it passes regardless of behaviou…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
scripts/publish/test_publish.py:630
· conf 1.00
[MINED106] Phantom test coverage: test_reupload_modified_files: Test function `test_reupload_modified_files` runs code but contains no assert / expect / should call — it passes regardless of behaviou…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
scripts/publish/test_publish.py:688
· conf 1.00
[MINED106] Phantom test coverage: test_publish_project: Test function `test_publish_project` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line cov…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
scripts/scenarios/generate.py:84
· conf 1.00
[MINED106] Phantom test coverage: test_file: Test function `test_file` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage without verifyin…MINED108
self.attribute used but never assigned in __init__
CWE-476
scripts/benchmark/src/benchmark/resolver.py:94
· conf 1.00
[MINED108] `self.resolve_cold` used but never assigned in __init__: Method `command` of class `Suite` reads `self.resolve_cold`, but no assignment to it exists in __init__ (and no class-level fallbac…MINED108
self.attribute used but never assigned in __init__
CWE-476
scripts/benchmark/src/benchmark/resolver.py:96
· conf 1.00
[MINED108] `self.resolve_warm` used but never assigned in __init__: Method `command` of class `Suite` reads `self.resolve_warm`, but no assignment to it exists in __init__ (and no class-level fallbac…MINED108
self.attribute used but never assigned in __init__
CWE-476
scripts/benchmark/src/benchmark/resolver.py:98
· conf 1.00
[MINED108] `self.resolve_incremental` used but never assigned in __init__: Method `command` of class `Suite` reads `self.resolve_incremental`, but no assignment to it exists in __init__ (and no class…MINED108
self.attribute used but never assigned in __init__
CWE-476
scripts/benchmark/src/benchmark/resolver.py:100
· conf 1.00
[MINED108] `self.resolve_noop` used but never assigned in __init__: Method `command` of class `Suite` reads `self.resolve_noop`, but no assignment to it exists in __init__ (and no class-level fallbac…MINED108
self.attribute used but never assigned in __init__
CWE-476
scripts/benchmark/src/benchmark/resolver.py:102
· conf 1.00
[MINED108] `self.install_cold` used but never assigned in __init__: Method `command` of class `Suite` reads `self.install_cold`, but no assignment to it exists in __init__ (and no class-level fallbac…MINED108
self.attribute used but never assigned in __init__
CWE-476
scripts/benchmark/src/benchmark/resolver.py:104
· conf 1.00
[MINED108] `self.install_warm` used but never assigned in __init__: Method `command` of class `Suite` reads `self.install_warm`, but no assignment to it exists in __init__ (and no class-level fallbac…MINED108
self.attribute used but never assigned in __init__
CWE-476
scripts/benchmark/src/benchmark/resolver.py:389
· conf 1.00
[MINED108] `self.setup` used but never assigned in __init__: Method `resolve_cold` of class `Poetry` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This…MINED108
self.attribute used but never assigned in __init__
CWE-476
scripts/benchmark/src/benchmark/resolver.py:416
· conf 1.00
[MINED108] `self.setup` used but never assigned in __init__: Method `resolve_warm` of class `Poetry` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This…MINED108
self.attribute used but never assigned in __init__
CWE-476
scripts/benchmark/src/benchmark/resolver.py:443
· conf 1.00
[MINED108] `self.setup` used but never assigned in __init__: Method `resolve_incremental` of class `Poetry` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback…MINED108
self.attribute used but never assigned in __init__
CWE-476
scripts/benchmark/src/benchmark/resolver.py:499
· conf 1.00
[MINED108] `self.setup` used but never assigned in __init__: Method `resolve_noop` of class `Poetry` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This…MINED108
self.attribute used but never assigned in __init__
CWE-476
scripts/benchmark/src/benchmark/resolver.py:536
· conf 1.00
[MINED108] `self.setup` used but never assigned in __init__: Method `install_cold` of class `Poetry` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This…MINED108
self.attribute used but never assigned in __init__
CWE-476
scripts/benchmark/src/benchmark/resolver.py:581
· conf 1.00
[MINED108] `self.setup` used but never assigned in __init__: Method `install_warm` of class `Poetry` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This…MINED108
self.attribute used but never assigned in __init__
CWE-476
scripts/benchmark/src/benchmark/resolver.py:661
· conf 1.00
[MINED108] `self.setup` used but never assigned in __init__: Method `resolve_cold` of class `Pdm` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This ra…MINED108
self.attribute used but never assigned in __init__
CWE-476
scripts/benchmark/src/benchmark/resolver.py:678
· conf 1.00
[MINED108] `self.setup` used but never assigned in __init__: Method `resolve_warm` of class `Pdm` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This ra…MINED108
self.attribute used but never assigned in __init__
CWE-476
scripts/benchmark/src/benchmark/resolver.py:700
· conf 1.00
[MINED108] `self.setup` used but never assigned in __init__: Method `resolve_incremental` of class `Pdm` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). …MINED108
self.attribute used but never assigned in __init__
CWE-476
scripts/benchmark/src/benchmark/resolver.py:745
· conf 1.00
[MINED108] `self.setup` used but never assigned in __init__: Method `resolve_noop` of class `Pdm` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This ra…MINED108
self.attribute used but never assigned in __init__
CWE-476
scripts/benchmark/src/benchmark/resolver.py:775
· conf 1.00
[MINED108] `self.setup` used but never assigned in __init__: Method `install_cold` of class `Pdm` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This ra…MINED108
self.attribute used but never assigned in __init__
CWE-476
scripts/benchmark/src/benchmark/resolver.py:810
· conf 1.00
[MINED108] `self.setup` used but never assigned in __init__: Method `install_warm` of class `Pdm` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). This ra…MINED108
self.attribute used but never assigned in __init__
CWE-476
scripts/benchmark/src/benchmark/resolver.py:1058
· conf 1.00
[MINED108] `self.setup` used but never assigned in __init__: Method `resolve_cold` of class `UvProject` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). T…MINED108
self.attribute used but never assigned in __init__
CWE-476
scripts/benchmark/src/benchmark/resolver.py:1079
· conf 1.00
[MINED108] `self.setup` used but never assigned in __init__: Method `resolve_warm` of class `UvProject` reads `self.setup`, but no assignment to it exists in __init__ (and no class-level fallback). T…MINED108
self.attribute used but never assigned in __init__
CWE-476
scripts/benchmark/src/benchmark/tools.py:36
· conf 1.00
[MINED108] `self.install_cold` used but never assigned in __init__: Method `command` of class `Suite` reads `self.install_cold`, but no assignment to it exists in __init__ (and no class-level fallbac…MINED108
self.attribute used but never assigned in __init__
CWE-476
scripts/benchmark/src/benchmark/tools.py:38
· conf 1.00
[MINED108] `self.install_warm` used but never assigned in __init__: Method `command` of class `Suite` reads `self.install_warm`, but no assignment to it exists in __init__ (and no class-level fallbac…MINED108
self.attribute used but never assigned in __init__
CWE-476
scripts/benchmark/src/benchmark/tools.py:40
· conf 1.00
[MINED108] `self.run` used but never assigned in __init__: Method `command` of class `Suite` reads `self.run`, but no assignment to it exists in __init__ (and no class-level fallback). This raises At…MINED108
self.attribute used but never assigned in __init__
CWE-476
scripts/scenarios/generate.py:82
· conf 1.00
[MINED108] `self.name` used but never assigned in __init__: Method `template_file` of class `TemplateKind` reads `self.name`, but no assignment to it exists in __init__ (and no class-level fallback).…MINED108
self.attribute used but never assigned in __init__
CWE-476
scripts/scenarios/generate.py:85
· conf 1.00
[MINED108] `self.value` used but never assigned in __init__: Method `test_file` of class `TemplateKind` reads `self.value`, but no assignment to it exists in __init__ (and no class-level fallback). T…MINED118
Dockerfile FROM not pinned by sha256 digest
CWE-829
crates/uv-dev/builder.dockerfile:3
· conf 0.90
[MINED118] Dockerfile FROM `ubuntu:22.04` not pinned by digest: `FROM ubuntu:22.04` resolves the tag at build time. The registry CAN re-push a different image for the same tag, so every build is pote…MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/build-release-binaries.yml:361
· conf 0.90
[MINED126] Workflow container/services image `quay.io/pypa/manylinux2014` unpinned: `container/services image: quay.io/pypa/manylinux2014` without `@sha256:...` pulls a mutable tag at workflow-run ti…MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/test-smoke.yml:78
· conf 0.90
[MINED126] Workflow container/services image `alpine:latest` unpinned: `container/services image: alpine:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow contain…MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/test-system.yml:102
· conf 0.90
[MINED126] Workflow container/services image `python:3.6-buster` unpinned: `container/services image: python:3.6-buster` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow…MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/test-system.yml:126
· conf 0.90
[MINED126] Workflow container/services image `python:3.7-buster` unpinned: `container/services image: python:3.7-buster` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow…MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/test-system.yml:299
· conf 0.90
[MINED126] Workflow container/services image `pyston/pyston:2.3.5` unpinned: `container/services image: pyston/pyston:2.3.5` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat work…MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/test-system.yml:377
· conf 0.90
[MINED126] Workflow container/services image `alpine:latest` unpinned: `container/services image: alpine:latest` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow contain…MINED126
GHA workflow container/services image unpinned
CWE-829
.github/workflows/test-system.yml:790
· conf 0.90
[MINED126] Workflow container/services image `amazonlinux:2023` unpinned: `container/services image: amazonlinux:2023` without `@sha256:...` pulls a mutable tag at workflow-run time. Treat workflow c…MINED131
pre-commit hook pinned to branch/tag instead of SHA
CWE-829
.pre-commit-config.yaml:9
· conf 0.90
[MINED131] pre-commit hook `https://github.com/abravalheri/validate-pyproject` pinned to mutable rev `v0.24.1`: `.pre-commit-config.yaml` references `https://github.com/abravalheri/validate-pyproject…MINED131
pre-commit hook pinned to branch/tag instead of SHA
CWE-829
.pre-commit-config.yaml:13
· conf 0.90
[MINED131] pre-commit hook `https://github.com/crate-ci/typos` pinned to mutable rev `v1.42.3`: `.pre-commit-config.yaml` references `https://github.com/crate-ci/typos` at `rev: v1.42.3`. If `{rev}` …MINED131
pre-commit hook pinned to branch/tag instead of SHA
CWE-829
.pre-commit-config.yaml:45
· conf 0.90
[MINED131] pre-commit hook `https://github.com/astral-sh/ruff-pre-commit` pinned to mutable rev `v0.14.14`: `.pre-commit-config.yaml` references `https://github.com/astral-sh/ruff-pre-commit` at `rev…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
crates/uv-trampoline-builder/trampolines/uv-trampoline-aarch64-console.exe:1
· conf 0.90
[MINED134] Binary file `crates/uv-trampoline-builder/trampolines/uv-trampoline-aarch64-console.exe` committed in source repo: `crates/uv-trampoline-builder/trampolines/uv-trampoline-aarch64-console.e…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
crates/uv-trampoline-builder/trampolines/uv-trampoline-aarch64-gui.exe:1
· conf 0.90
[MINED134] Binary file `crates/uv-trampoline-builder/trampolines/uv-trampoline-aarch64-gui.exe` committed in source repo: `crates/uv-trampoline-builder/trampolines/uv-trampoline-aarch64-gui.exe` is a…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
crates/uv-trampoline-builder/trampolines/uv-trampoline-i686-console.exe:1
· conf 0.90
[MINED134] Binary file `crates/uv-trampoline-builder/trampolines/uv-trampoline-i686-console.exe` committed in source repo: `crates/uv-trampoline-builder/trampolines/uv-trampoline-i686-console.exe` is…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
crates/uv-trampoline-builder/trampolines/uv-trampoline-i686-gui.exe:1
· conf 0.90
[MINED134] Binary file `crates/uv-trampoline-builder/trampolines/uv-trampoline-i686-gui.exe` committed in source repo: `crates/uv-trampoline-builder/trampolines/uv-trampoline-i686-gui.exe` is a .exe …MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
crates/uv-trampoline-builder/trampolines/uv-trampoline-x86_64-console.exe:1
· conf 0.90
[MINED134] Binary file `crates/uv-trampoline-builder/trampolines/uv-trampoline-x86_64-console.exe` committed in source repo: `crates/uv-trampoline-builder/trampolines/uv-trampoline-x86_64-console.exe…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
crates/uv-trampoline-builder/trampolines/uv-trampoline-x86_64-gui.exe:1
· conf 0.90
[MINED134] Binary file `crates/uv-trampoline-builder/trampolines/uv-trampoline-x86_64-gui.exe` committed in source repo: `crates/uv-trampoline-builder/trampolines/uv-trampoline-x86_64-gui.exe` is a .…SEC004
SQL Injection Risk
scripts/update_schemastore.py:38
· conf 0.50
[SEC004] SQL Injection Risk: String interpolation in SQL execution. Allows SQL injection.SEC013
Path Traversal — User Input in File Path
scripts/publish-crates.py:80
· conf 0.80
[SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
crates/uv-auth/src/providers.rs:84
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
crates/uv-auth/src/service.rs:49
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
crates/uv-cache/src/wheel.rs:33
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC080
Python: tarfile.extractall without filter
scripts/repair-sdist-cargo-lock.py:32
· conf 1.00
[SEC080] Python: tarfile.extractall without filter: tarfile.extract*() without filter='data' allows path-traversal (CVE-2007-4559, fixed via PEP 706 in 3.12). Ported from bandit B202 (Apache-2.0).SEC103
LDAP injection — non-constant search filter
scripts/sync-python-version-constants.py:81
· conf 1.00
[SEC103] LDAP injection — non-constant search filter: User input concatenated into an LDAP search filter. Attackers inject `*)(uid=*` style payloads to bypass auth or enumerate accounts.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
scripts/create-python-mirror.py:61
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…AGT015
Remote install command pipes network code directly to a shell
docs/getting-started/installation.md:16
· conf 0.70
Remote install command pipes network code directly to a shellAGT015
Remote install command pipes network code directly to a shell
docs/reference/installer.md:57
· conf 0.70
Remote install command pipes network code directly to a shellCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
crates/uv-python/python/packaging/_manylinux.py:214
· conf 0.95
[COMP001] High cognitive complexity: Function `platform_tags` has cognitive complexity 22 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — neste…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
crates/uv-virtualenv/src/_virtualenv.py:50
· conf 0.95
[COMP001] High cognitive complexity: Function `find_spec` has cognitive complexity 19 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested br…CORE_LARGE_FILES
Average file size is 1080 lines (recommend <300)
Average file size is 739 lines (recommend <300)DKR001
Docker final stage has no non-root USER
crates/uv-trampoline/Dockerfile:63
· conf 0.82
Docker final stage has no non-root USERDKR007
Docker build context has no .dockerignore
.dockerignore
· conf 0.90
Docker build context has no .dockerignoreMINED111
Bare except continues silently
scripts/registries-test.py:257
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
scripts/registries-test.py:339
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.SEC012
ZipSlip — Archive Path Traversal
scripts/repair-sdist-cargo-lock.py:32
· conf 1.00
[SEC012] ZipSlip — Archive Path Traversal: Archive extraction without path validation allows writing files outside the target directory.SEC034
Log Injection / Log Forging — unsanitized user input in log
scripts/check_system_python.py:22
· conf 1.00
[SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\n` to forge fake log entries, hide tra…AIC002
Source file name looks like an AI patch artifact
crates/uv/src/commands/cache_clean.rs:1
· conf 0.62
Source file name looks like an AI patch artifactAIC002
Source file name looks like an AI patch artifact
crates/uv/src/commands/self_update.rs:1
· conf 0.62
Source file name looks like an AI patch artifactAIC003
Duplicated implementation block across source files
crates/uv-configuration/src/sources.rs:30
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv-dev/src/generate_options_reference.rs:11
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv-dev/src/generate_options_reference.rs:25
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv-dev/src/generate_sysconfig_mappings.rs:28
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv-dev/src/generate_sysconfig_mappings.rs:50
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv-distribution/src/metadata/requires_dist.rs:152
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv-distribution/src/metadata/requires_dist.rs:190
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv-installer/src/satisfies.rs:386
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv-install-wheel/src/uninstall.rs:312
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv-keyring/src/mock.rs:154
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv-keyring/src/secret_service.rs:438
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv-keyring/src/windows.rs:490
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv-keyring/src/windows.rs:498
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv-normalize/src/lib.rs:128
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv-normalize/src/package_name.rs:7
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv-platform-tags/src/language_tag.rs:3
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv-platform-tags/src/platform.rs:110
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv-publish/src/trusted_publishing/pyx.rs:35
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv-pypi-types/src/metadata/requires_dist.rs:37
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv-requirements/src/lookahead.rs:33
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv-requirements/src/source_tree.rs:71
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv-requirements/src/unnamed.rs:28
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv-resolver/src/lock/installable.rs:104
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv-resolver/src/lock/tree.rs:79
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv-resolver/src/resolver/environment.rs:412
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv-resolver/src/resolver/reporter.rs:15
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv/src/commands/auth/token.rs:32
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv/src/commands/cache_prune.rs:11
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv/src/commands/pip/install.rs:158
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
crates/uv/src/commands/pip/install.rs:226
· conf 0.86
Duplicated implementation block across source filesCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
crates/uv-python/python/packaging/_manylinux.py:178
· conf 0.95
[COMP001] High cognitive complexity: Function `_is_compatible` has cognitive complexity 14 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nest…DKR011
Dockerfile installs recommended OS packages
crates/uv-trampoline/Dockerfile:28
· conf 0.72
Dockerfile installs recommended OS packagesCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
[COMP001] High cognitive complexity (and 12 more): Same pattern found in 12 additional files. Review if needed.MINED003
Rust Unwrap In Prod
CWE-755
[MINED003] Rust Unwrap In Prod (and 47 more): Same pattern found in 47 additional files. Review if needed.MINED043
Http Not Https
CWE-319
[MINED043] Http Not Https (and 1 more): Same pattern found in 1 additional files. Review if needed.MINED043
Http Not Https
CWE-319
crates/uv-auth/src/realm.rs:279
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
crates/uv-configuration/src/proxy_url.rs:66
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
crates/uv-configuration/src/trusted_host.rs:97
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED050
Stub Only Function
CWE-1188
.claude/hooks/post-edit-format.py:23
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
crates/uv-python/python/packaging/_elffile.py:18
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
scripts/scenarios/generate.py:93
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED059
Rust Expect In Prod
CWE-755
[MINED059] Rust Expect In Prod (and 28 more): Same pattern found in 28 additional files. Review if needed.MINED059
Rust Expect In Prod
CWE-755
crates/uv-auth/src/providers.rs:21
· conf 1.00
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.MINED059
Rust Expect In Prod
CWE-755
crates/uv-bench/benches/uv.rs:68
· conf 1.00
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.MINED059
Rust Expect In Prod
CWE-755
crates/uv-build/src/main.rs:67
· conf 1.00
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.MINED066
Rust Panic Macro
CWE-755
[MINED066] Rust Panic Macro (and 3 more): Same pattern found in 3 additional files. Review if needed.MINED066
Rust Panic Macro
CWE-755
crates/uv-extract/src/lib.rs:142
· conf 1.00
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.MINED066
Rust Panic Macro
CWE-755
crates/uv-keyring/src/error.rs:88
· conf 1.00
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.MINED066
Rust Panic Macro
CWE-755
crates/uv-requirements/src/lookahead.rs:155
· conf 1.00
[MINED066] Rust Panic Macro: panic!() unwinds the stack. Use Result for recoverable errors.MINED068
Rust Unsafe Block
CWE-119
[MINED068] Rust Unsafe Block (and 7 more): Same pattern found in 7 additional files. Review if needed.MINED068
Rust Unsafe Block
CWE-119
crates/uv-client/src/rkyvutil.rs:170
· conf 1.00
[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.MINED068
Rust Unsafe Block
CWE-119
crates/uv-fastid/src/lib.rs:36
· conf 1.00
[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.MINED068
Rust Unsafe Block
CWE-119
crates/uv-fs/src/which.rs:20
· conf 1.00
[MINED068] Rust Unsafe Block: unsafe { ... } block. Compiler safety guarantees disabled inside.MINED072
Python Pass Only Class
CWE-1188
crates/uv-python/python/packaging/_elffile.py:17
· conf 1.00
[MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in.MINED073
Redos Greedy Quantifier
CWE-1333CWE-400
scripts/check_registry.py:111
· conf 1.00
[MINED073] Redos Greedy Quantifier: Pattern with nested quantifiers like (a+)+ applied to network/user data — denial of service.SEC001
Hardcoded Password
crates/uv-keyring/src/mock.rs:286
· conf 0.10
[SEC001] Hardcoded Password: Hardcoded password found in source code.SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 31 more): Same pattern found in 31 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/bee51646-a8dc-410c-9ffa-753bd32e1390/.