https://github.com/zilliztech/claude-context.git ·
lang: typescript ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
MINED108 self.attribute used but never assigned in __init__ |
high | 21 |
MINED111 Bare except continues silently |
medium | 8 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 6 |
MINED050 Stub Only Function |
info | 4 |
SEC020 Secret Printed to Logs |
high | 4 |
MINED044 Js Console Log Prod |
info | 4 |
COMP001 [COMP001] High cognitive complexity: Function `load_yfinanc… |
low | 4 |
MINED052 Ts Any Typed |
info | 4 |
MINED110 Blocking call inside async function |
high | 4 |
MINED049 Print Pii |
info | 3 |
COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
evaluation/retrieval/base.py:42
· conf 0.95
[COMP001] High cognitive complexity: Function `_prepare_instances` has cognitive complexity 35 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — …MINED001
Bare Except Pass
CWE-755
evaluation/servers/read_server.py:256
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED108
self.attribute used but never assigned in __init__
CWE-476
evaluation/client.py:62
· conf 1.00
[MINED108] `self.async_run` used but never assigned in __init__: Method `run` of class `Evaluator` reads `self.async_run`, but no assignment to it exists in __init__ (and no class-level fallback). Th…MINED108
self.attribute used but never assigned in __init__
CWE-476
evaluation/retrieval/base.py:99
· conf 1.00
[MINED108] `self._filter_existing_instances` used but never assigned in __init__: Method `_prepare_instances` of class `BaseRetrieval` reads `self._filter_existing_instances`, but no assignment to it…MINED108
self.attribute used but never assigned in __init__
CWE-476
evaluation/retrieval/base.py:194
· conf 1.00
[MINED108] `self.build_index` used but never assigned in __init__: Method `run` of class `BaseRetrieval` reads `self.build_index`, but no assignment to it exists in __init__ (and no class-level fallb…MINED108
self.attribute used but never assigned in __init__
CWE-476
evaluation/retrieval/base.py:197
· conf 1.00
[MINED108] `self.search` used but never assigned in __init__: Method `run` of class `BaseRetrieval` reads `self.search`, but no assignment to it exists in __init__ (and no class-level fallback). This…MINED108
self.attribute used but never assigned in __init__
CWE-476
evaluation/retrieval/base.py:201
· conf 1.00
[MINED108] `self.output_file` used but never assigned in __init__: Method `run` of class `BaseRetrieval` reads `self.output_file`, but no assignment to it exists in __init__ (and no class-level fallb…MINED108
self.attribute used but never assigned in __init__
CWE-476
evaluation/retrieval/base.py:204
· conf 1.00
[MINED108] `self.output_file` used but never assigned in __init__: Method `run` of class `BaseRetrieval` reads `self.output_file`, but no assignment to it exists in __init__ (and no class-level fallb…MINED108
self.attribute used but never assigned in __init__
CWE-476
evaluation/retrieval/custom.py:135
· conf 1.00
[MINED108] `self._load_tools_from_sessions` used but never assigned in __init__: Method `mcp_sessions_context` of class `CustomRetrieval` reads `self._load_tools_from_sessions`, but no assignment to …MINED108
self.attribute used but never assigned in __init__
CWE-476
evaluation/retrieval/custom.py:150
· conf 1.00
[MINED108] `self._load_tools_from_sessions` used but never assigned in __init__: Method `mcp_sessions_context` of class `CustomRetrieval` reads `self._load_tools_from_sessions`, but no assignment to …MINED108
self.attribute used but never assigned in __init__
CWE-476
evaluation/retrieval/custom.py:164
· conf 1.00
[MINED108] `self._load_tools_from_sessions` used but never assigned in __init__: Method `mcp_sessions_context` of class `CustomRetrieval` reads `self._load_tools_from_sessions`, but no assignment to …MINED108
self.attribute used but never assigned in __init__
CWE-476
evaluation/retrieval/custom.py:181
· conf 1.00
[MINED108] `self._load_tools_from_sessions` used but never assigned in __init__: Method `mcp_sessions_context` of class `CustomRetrieval` reads `self._load_tools_from_sessions`, but no assignment to …MINED108
self.attribute used but never assigned in __init__
CWE-476
evaluation/retrieval/custom.py:247
· conf 1.00
[MINED108] `self.async_build_index` used but never assigned in __init__: Method `build_index` of class `CustomRetrieval` reads `self.async_build_index`, but no assignment to it exists in __init__ (an…MINED108
self.attribute used but never assigned in __init__
CWE-476
evaluation/retrieval/custom.py:254
· conf 1.00
[MINED108] `self.mcp_sessions_context` used but never assigned in __init__: Method `async_build_index` of class `CustomRetrieval` reads `self.mcp_sessions_context`, but no assignment to it exists in …MINED108
self.attribute used but never assigned in __init__
CWE-476
evaluation/retrieval/custom.py:291
· conf 1.00
[MINED108] `self.async_search` used but never assigned in __init__: Method `search` of class `CustomRetrieval` reads `self.async_search`, but no assignment to it exists in __init__ (and no class-leve…MINED108
self.attribute used but never assigned in __init__
CWE-476
evaluation/retrieval/custom.py:294
· conf 1.00
[MINED108] `self.mcp_sessions_context` used but never assigned in __init__: Method `async_search` of class `CustomRetrieval` reads `self.mcp_sessions_context`, but no assignment to it exists in __ini…MINED108
self.attribute used but never assigned in __init__
CWE-476
evaluation/retrieval/custom.py:297
· conf 1.00
[MINED108] `self.prompt` used but never assigned in __init__: Method `async_search` of class `CustomRetrieval` reads `self.prompt`, but no assignment to it exists in __init__ (and no class-level fall…MINED108
self.attribute used but never assigned in __init__
CWE-476
evaluation/retrieval/custom.py:326
· conf 1.00
[MINED108] `self.async_run` used but never assigned in __init__: Method `run` of class `CustomRetrieval` reads `self.async_run`, but no assignment to it exists in __init__ (and no class-level fallbac…MINED108
self.attribute used but never assigned in __init__
CWE-476
evaluation/retrieval/custom.py:329
· conf 1.00
[MINED108] `self.instances` used but never assigned in __init__: Method `async_run` of class `CustomRetrieval` reads `self.instances`, but no assignment to it exists in __init__ (and no class-level f…MINED108
self.attribute used but never assigned in __init__
CWE-476
evaluation/retrieval/custom.py:336
· conf 1.00
[MINED108] `self.output_dir` used but never assigned in __init__: Method `async_run` of class `CustomRetrieval` reads `self.output_dir`, but no assignment to it exists in __init__ (and no class-level…MINED108
self.attribute used but never assigned in __init__
CWE-476
evaluation/retrieval/custom.py:344
· conf 1.00
[MINED108] `self.async_build_index` used but never assigned in __init__: Method `async_run` of class `CustomRetrieval` reads `self.async_build_index`, but no assignment to it exists in __init__ (and …MINED108
self.attribute used but never assigned in __init__
CWE-476
evaluation/retrieval/custom.py:352
· conf 1.00
[MINED108] `self.async_search` used but never assigned in __init__: Method `async_run` of class `CustomRetrieval` reads `self.async_search`, but no assignment to it exists in __init__ (and no class-l…MINED108
self.attribute used but never assigned in __init__
CWE-476
python/ts_executor.py:51
· conf 1.00
[MINED108] `self._create_wrapper_script` used but never assigned in __init__: Method `call_method` of class `TypeScriptExecutor` reads `self._create_wrapper_script`, but no assignment to it exists in…MINED110
Blocking call inside async function
CWE-833
evaluation/retrieval/custom.py:276
· conf 1.00
[MINED110] Blocking call `time.sleep` inside async function `async_build_index`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing…MINED110
Blocking call inside async function
CWE-833
evaluation/retrieval/custom.py:278
· conf 1.00
[MINED110] Blocking call `time.sleep` inside async function `async_build_index`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing…MINED110
Blocking call inside async function
CWE-833
evaluation/retrieval/custom.py:286
· conf 1.00
[MINED110] Blocking call `time.sleep` inside async function `async_build_index`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing…MINED110
Blocking call inside async function
CWE-833
evaluation/retrieval/custom.py:316
· conf 1.00
[MINED110] Blocking call `time.sleep` inside async function `async_search`: `time.sleep` is a synchronous (blocking) call. When invoked inside an `async def` it stalls the event loop, preventing ever…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:20
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:23
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/ci.yml:28
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yml:15
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yml:18
· conf 0.90
[MINED115] Action `pnpm/action-setup` pinned to mutable ref `@v4`: `uses: pnpm/action-setup@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/release.yml:23
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …SEC020
Secret Printed to Logs
evaluation/analyze_and_plot_mcp_efficiency.py:128
· conf 0.85
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
packages/chrome-extension/src/options.ts:34
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC083
JS: new RegExp() with non-literal
packages/mcp/scripts/path-resolution-e2e.mjs:71
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC085
JS: child_process.exec with non-literal
scripts/build-benchmark.js:19
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC114
path.join / Path() on user-controlled segment without containment check
packages/mcp/src/utils.ts:23
· conf 1.00
[SEC114] path.join / Path() on user-controlled segment without containment check: filepath.Clean / path.Join on attacker-supplied segments does NOT prevent escape from the base directory. `../../../e…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
evaluation/analyze_and_plot_mcp_efficiency.py:54
· conf 0.95
[COMP001] High cognitive complexity: Function `load_method_results` has cognitive complexity 20 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand —…MINED109
Mutable default argument
CWE-1023
evaluation/run_evaluation.py:14
· conf 1.00
[MINED109] Mutable default argument in `main` (list): `def main(... = []/{}/set())` — Python's default value is constructed ONCE at function definition time and shared across all calls. Mutating it i…MINED111
Bare except continues silently
evaluation/analyze_and_plot_mcp_efficiency.py:102
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
evaluation/servers/grep_server.py:211
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
evaluation/servers/read_server.py:132
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
evaluation/servers/read_server.py:181
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
evaluation/servers/read_server.py:266
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
evaluation/utils/format.py:191
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/test_endtoend.py:99
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
python/ts_executor.py:302
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.SEC127
AI agent stub — TODO: implement / pass placeholder body
evaluation/retrieval/base.py:176
· conf 1.00
[SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass…AIC003
Duplicated implementation block across source files
packages/core/src/vectordb/milvus-vectordb.ts:41
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
packages/vscode-extension/src/commands/syncCommand.ts:7
· conf 0.86
Duplicated implementation block across source filesCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
evaluation/generate_subset_json.py:26
· conf 0.95
[COMP001] High cognitive complexity: Function `main` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
[COMP001] High cognitive complexity (and 6 more): Same pattern found in 6 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 18 more): Same pattern found in 18 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
examples/basic-usage/index.ts:13
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
packages/chrome-extension/src/config/milvusConfig.ts:33
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
packages/chrome-extension/src/milvus/chromeMilvusAdapter.ts:63
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
packages/vscode-extension/src/commands/searchCommand.ts:79
· conf 0.10
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED049
Print Pii
CWE-532
evaluation/analyze_and_plot_mcp_efficiency.py:128
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED049
Print Pii
CWE-532
examples/basic-usage/index.ts:108
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED049
Print Pii
CWE-532
packages/chrome-extension/src/milvus/chromeMilvusAdapter.ts:230
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED050
Stub Only Function
CWE-1188
[MINED050] Stub Only Function (and 1 more): Same pattern found in 1 additional files. Review if needed.MINED050
Stub Only Function
CWE-1188
evaluation/retrieval/base.py:177
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
evaluation/servers/grep_server.py:127
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
evaluation/servers/read_server.py:257
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED052
Ts Any Typed
CWE-704
[MINED052] Ts Any Typed (and 5 more): Same pattern found in 5 additional files. Review if needed.MINED052
Ts Any Typed
CWE-704
packages/core/src/embedding/gemini-embedding.ts:100
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
packages/core/src/embedding/ollama-embedding.ts:7
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
packages/core/src/splitter/ast-splitter.ts:32
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.SEC002
Hardcoded API Key
examples/basic-usage/index.ts:109
· conf 0.15
[SEC002] Hardcoded API Key: Hardcoded API key found in source code.SEC020
Secret Printed to Logs
[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed.SEC020
Secret Printed to Logs
examples/basic-usage/index.ts:108
· conf 0.10
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
packages/core/src/embedding/ollama-embedding.ts:65
· conf 0.10
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/cbb5eee9-ffe7-42d1-9777-2906446514a2/.