https://github.com/encode/starlette.git ·
lang: python ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
MINED106 Phantom test coverage (assertion-free test) |
high | 25 |
MINED108 self.attribute used but never assigned in __init__ |
high | 25 |
SEC127 AI agent stub — TODO: implement / pass placeholder body |
medium | 4 |
MINED001 Bare Except Pass |
high | 4 |
COMP001 [COMP001] High cognitive complexity: Function `load_yfinanc… |
low | 4 |
MINED072 Python Pass Only Class |
info | 4 |
SEC029 Server-Side Request Forgery (SSRF) — outbound HTTP from use… |
high | 4 |
MINED050 Stub Only Function |
info | 4 |
MINED111 Bare except continues silently |
medium | 3 |
WEB003 Public web service has no security.txt |
medium | 1 |
MINED001
Bare Except Pass
CWE-755
starlette/authentication.py:94
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED001
Bare Except Pass
CWE-755
starlette/concurrency.py:35
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED001
Bare Except Pass
CWE-755
starlette/config.py:14
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED006
Overcatch Baseexception
CWE-705
starlette/_utils.py:82
· conf 1.00
[MINED006] Overcatch Baseexception: except BaseException: ... — prevents Ctrl+C and SystemExit from working.MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/conftest.py:13
· conf 1.00
[MINED106] Phantom test coverage: test_client_factory: Test function `test_client_factory` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line cover…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_applications.py:552
· conf 1.00
[MINED106] Phantom test coverage: test_lifespan_app_subclass: Test function `test_lifespan_app_subclass` runs code but contains no assert / expect / should call — it passes regardless of behaviour. A…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_config.py:12
· conf 1.00
[MINED106] Phantom test coverage: test_config_types: Test function `test_config_types` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line coverage …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_config.py:105
· conf 1.00
[MINED106] Phantom test coverage: test_missing_env_file_raises: Test function `test_missing_env_file_raises` runs code but contains no assert / expect / should call — it passes regardless of behaviou…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_datastructures.py:267
· conf 1.00
[MINED106] Phantom test coverage: test_mutable_headers_merge_not_mapping: Test function `test_mutable_headers_merge_not_mapping` runs code but contains no assert / expect / should call — it passes re…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_exceptions.py:108
· conf 1.00
[MINED106] Phantom test coverage: test_websockets_should_raise: Test function `test_websockets_should_raise` runs code but contains no assert / expect / should call — it passes regardless of behaviou…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_exceptions.py:210
· conf 1.00
[MINED106] Phantom test coverage: test_handlers_annotations: Test function `test_handlers_annotations` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Add…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_requests.py:241
· conf 1.00
[MINED106] Phantom test coverage: test_request_disconnect: Test function `test_request_disconnect` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds li…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_requests.py:633
· conf 1.00
[MINED106] Phantom test coverage: test_request_url_outside_starlette_context: Test function `test_request_url_outside_starlette_context` runs code but contains no assert / expect / should call — it p…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_routing.py:616
· conf 1.00
[MINED106] Phantom test coverage: test_standalone_ws_route_does_not_match: Test function `test_standalone_ws_route_does_not_match` runs code but contains no assert / expect / should call — it passes …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_routing.py:626
· conf 1.00
[MINED106] Phantom test coverage: test_lifespan_state_unsupported: Test function `test_lifespan_state_unsupported` runs code but contains no assert / expect / should call — it passes regardless of be…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_routing.py:717
· conf 1.00
[MINED106] Phantom test coverage: test_raise_on_shutdown: Test function `test_raise_on_shutdown` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_routing.py:754
· conf 1.00
[MINED106] Phantom test coverage: test_duplicated_param_names: Test function `test_duplicated_param_names` runs code but contains no assert / expect / should call — it passes regardless of behaviour.…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_routing.py:895
· conf 1.00
[MINED106] Phantom test coverage: test_mount_asgi_app_with_middleware_url_path_for: Test function `test_mount_asgi_app_with_middleware_url_path_for` runs code but contains no assert / expect / should…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_status.py:26
· conf 1.00
[MINED106] Phantom test coverage: test_unknown_status: Test function `test_unknown_status` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line cover…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_testclient.py:166
· conf 1.00
[MINED106] Phantom test coverage: test_error_on_startup: Test function `test_error_on_startup` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line c…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_testclient.py:179
· conf 1.00
[MINED106] Phantom test coverage: test_exception_in_middleware: Test function `test_exception_in_middleware` runs code but contains no assert / expect / should call — it passes regardless of behaviou…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_testclient.py:427
· conf 1.00
[MINED106] Phantom test coverage: test_timeout_deprecation: Test function `test_timeout_deprecation` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_websockets.py:483
· conf 1.00
[MINED106] Phantom test coverage: test_duplicate_close: Test function `test_duplicate_close` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line cov…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_websockets.py:551
· conf 1.00
[MINED106] Phantom test coverage: test_send_json_invalid_mode: Test function `test_send_json_invalid_mode` runs code but contains no assert / expect / should call — it passes regardless of behaviour.…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_websockets.py:563
· conf 1.00
[MINED106] Phantom test coverage: test_receive_json_invalid_mode: Test function `test_receive_json_invalid_mode` runs code but contains no assert / expect / should call — it passes regardless of beha…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_websockets.py:575
· conf 1.00
[MINED106] Phantom test coverage: test_receive_text_before_accept: Test function `test_receive_text_before_accept` runs code but contains no assert / expect / should call — it passes regardless of be…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_websockets.py:586
· conf 1.00
[MINED106] Phantom test coverage: test_receive_bytes_before_accept: Test function `test_receive_bytes_before_accept` runs code but contains no assert / expect / should call — it passes regardless of …MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_websockets.py:597
· conf 1.00
[MINED106] Phantom test coverage: test_receive_json_before_accept: Test function `test_receive_json_before_accept` runs code but contains no assert / expect / should call — it passes regardless of be…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_websockets.py:608
· conf 1.00
[MINED106] Phantom test coverage: test_send_before_accept: Test function `test_send_before_accept` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds li…MINED108
self.attribute used but never assigned in __init__
CWE-476
starlette/config.py:92
· conf 1.00
[MINED108] `self.get` used but never assigned in __init__: Method `__call__` of class `Config` reads `self.get`, but no assignment to it exists in __init__ (and no class-level fallback). This raises …MINED108
self.attribute used but never assigned in __init__
CWE-476
starlette/config.py:103
· conf 1.00
[MINED108] `self._perform_cast` used but never assigned in __init__: Method `get` of class `Config` reads `self._perform_cast`, but no assignment to it exists in __init__ (and no class-level fallback…MINED108
self.attribute used but never assigned in __init__
CWE-476
starlette/formparsers.py:87
· conf 1.00
[MINED108] `self.on_field_start` used but never assigned in __init__: Method `parse` of class `FormParser` reads `self.on_field_start`, but no assignment to it exists in __init__ (and no class-level …MINED108
self.attribute used but never assigned in __init__
CWE-476
starlette/formparsers.py:88
· conf 1.00
[MINED108] `self.on_field_name` used but never assigned in __init__: Method `parse` of class `FormParser` reads `self.on_field_name`, but no assignment to it exists in __init__ (and no class-level fa…MINED108
self.attribute used but never assigned in __init__
CWE-476
starlette/formparsers.py:89
· conf 1.00
[MINED108] `self.on_field_data` used but never assigned in __init__: Method `parse` of class `FormParser` reads `self.on_field_data`, but no assignment to it exists in __init__ (and no class-level fa…MINED108
self.attribute used but never assigned in __init__
CWE-476
starlette/formparsers.py:90
· conf 1.00
[MINED108] `self.on_field_end` used but never assigned in __init__: Method `parse` of class `FormParser` reads `self.on_field_end`, but no assignment to it exists in __init__ (and no class-level fall…MINED108
self.attribute used but never assigned in __init__
CWE-476
starlette/formparsers.py:91
· conf 1.00
[MINED108] `self.on_end` used but never assigned in __init__: Method `parse` of class `FormParser` reads `self.on_end`, but no assignment to it exists in __init__ (and no class-level fallback). This …MINED108
self.attribute used but never assigned in __init__
CWE-476
starlette/formparsers.py:240
· conf 1.00
[MINED108] `self.on_part_begin` used but never assigned in __init__: Method `parse` of class `MultiPartParser` reads `self.on_part_begin`, but no assignment to it exists in __init__ (and no class-lev…MINED108
self.attribute used but never assigned in __init__
CWE-476
starlette/formparsers.py:241
· conf 1.00
[MINED108] `self.on_part_data` used but never assigned in __init__: Method `parse` of class `MultiPartParser` reads `self.on_part_data`, but no assignment to it exists in __init__ (and no class-level…MINED108
self.attribute used but never assigned in __init__
CWE-476
starlette/formparsers.py:242
· conf 1.00
[MINED108] `self.on_part_end` used but never assigned in __init__: Method `parse` of class `MultiPartParser` reads `self.on_part_end`, but no assignment to it exists in __init__ (and no class-level f…MINED108
self.attribute used but never assigned in __init__
CWE-476
starlette/formparsers.py:243
· conf 1.00
[MINED108] `self.on_header_field` used but never assigned in __init__: Method `parse` of class `MultiPartParser` reads `self.on_header_field`, but no assignment to it exists in __init__ (and no class…MINED108
self.attribute used but never assigned in __init__
CWE-476
starlette/formparsers.py:244
· conf 1.00
[MINED108] `self.on_header_value` used but never assigned in __init__: Method `parse` of class `MultiPartParser` reads `self.on_header_value`, but no assignment to it exists in __init__ (and no class…MINED108
self.attribute used but never assigned in __init__
CWE-476
starlette/formparsers.py:245
· conf 1.00
[MINED108] `self.on_header_end` used but never assigned in __init__: Method `parse` of class `MultiPartParser` reads `self.on_header_end`, but no assignment to it exists in __init__ (and no class-lev…MINED108
self.attribute used but never assigned in __init__
CWE-476
starlette/formparsers.py:246
· conf 1.00
[MINED108] `self.on_headers_finished` used but never assigned in __init__: Method `parse` of class `MultiPartParser` reads `self.on_headers_finished`, but no assignment to it exists in __init__ (and …MINED108
self.attribute used but never assigned in __init__
CWE-476
starlette/formparsers.py:247
· conf 1.00
[MINED108] `self.on_end` used but never assigned in __init__: Method `parse` of class `MultiPartParser` reads `self.on_end`, but no assignment to it exists in __init__ (and no class-level fallback). …MINED108
self.attribute used but never assigned in __init__
CWE-476
starlette/schemas.py:57
· conf 1.00
[MINED108] `self._remove_converter` used but never assigned in __init__: Method `get_endpoints` of class `BaseSchemaGenerator` reads `self._remove_converter`, but no assignment to it exists in __init…MINED108
self.attribute used but never assigned in __init__
CWE-476
starlette/schemas.py:66
· conf 1.00
[MINED108] `self.get_endpoints` used but never assigned in __init__: Method `get_endpoints` of class `BaseSchemaGenerator` reads `self.get_endpoints`, but no assignment to it exists in __init__ (and …MINED108
self.attribute used but never assigned in __init__
CWE-476
starlette/schemas.py:74
· conf 1.00
[MINED108] `self._remove_converter` used but never assigned in __init__: Method `get_endpoints` of class `BaseSchemaGenerator` reads `self._remove_converter`, but no assignment to it exists in __init…MINED108
self.attribute used but never assigned in __init__
CWE-476
starlette/schemas.py:80
· conf 1.00
[MINED108] `self._remove_converter` used but never assigned in __init__: Method `get_endpoints` of class `BaseSchemaGenerator` reads `self._remove_converter`, but no assignment to it exists in __init…MINED108
self.attribute used but never assigned in __init__
CWE-476
starlette/schemas.py:124
· conf 1.00
[MINED108] `self.get_schema` used but never assigned in __init__: Method `OpenAPIResponse` of class `BaseSchemaGenerator` reads `self.get_schema`, but no assignment to it exists in __init__ (and no c…MINED108
self.attribute used but never assigned in __init__
CWE-476
starlette/schemas.py:135
· conf 1.00
[MINED108] `self.get_endpoints` used but never assigned in __init__: Method `get_schema` of class `SchemaGenerator` reads `self.get_endpoints`, but no assignment to it exists in __init__ (and no clas…MINED108
self.attribute used but never assigned in __init__
CWE-476
starlette/schemas.py:138
· conf 1.00
[MINED108] `self.parse_docstring` used but never assigned in __init__: Method `get_schema` of class `SchemaGenerator` reads `self.parse_docstring`, but no assignment to it exists in __init__ (and no …MINED108
self.attribute used but never assigned in __init__
CWE-476
starlette/_utils.py:70
· conf 1.00
[MINED108] `self.entered` used but never assigned in __init__: Method `__aenter__` of class `AwaitableOrContextManagerWrapper` reads `self.entered`, but no assignment to it exists in __init__ (and no…MINED108
self.attribute used but never assigned in __init__
CWE-476
starlette/_utils.py:71
· conf 1.00
[MINED108] `self.entered` used but never assigned in __init__: Method `__aenter__` of class `AwaitableOrContextManagerWrapper` reads `self.entered`, but no assignment to it exists in __init__ (and no…MINED108
self.attribute used but never assigned in __init__
CWE-476
starlette/_utils.py:74
· conf 1.00
[MINED108] `self.entered` used but never assigned in __init__: Method `__aexit__` of class `AwaitableOrContextManagerWrapper` reads `self.entered`, but no assignment to it exists in __init__ (and no …SEC013
Path Traversal — User Input in File Path
starlette/config.py:113
· conf 0.80
[SEC013] Path Traversal — User Input in File Path: User-controlled input used in file path without sanitization. Allows reading arbitrary files.SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
starlette/middleware/httpsredirect.py:12
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
starlette/middleware/trustedhost.py:55
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
starlette/requests.py:110
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC030
Open Redirect — user-controlled redirect target
starlette/middleware/trustedhost.py:57
· conf 1.00
[SEC030] Open Redirect — user-controlled redirect target: Redirect target is taken directly from user input without validating that the destination is local to the site. Attackers craft phishing URLs…SEC128
Async function without await — fire-and-forget Promise (AI mistake)
starlette/middleware/cors.py:163
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…MINED111
Bare except continues silently
starlette/_exception_handler.py:43
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
starlette/middleware/base.py:145
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
starlette/testclient.py:346
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.SEC127
AI agent stub — TODO: implement / pass placeholder body
starlette/authentication.py:99
· conf 1.00
[SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass…SEC127
AI agent stub — TODO: implement / pass placeholder body
starlette/convertors.py:13
· conf 1.00
[SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass…SEC127
AI agent stub — TODO: implement / pass placeholder body
starlette/middleware/base.py:200
· conf 1.00
[SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass…WEB003
Public web service has no security.txt
.well-known/security.txt
· conf 0.78
Public web service has no security.txtCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
starlette/endpoints.py:70
· conf 0.95
[COMP001] High cognitive complexity: Function `dispatch` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested bran…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
starlette/endpoints.py:91
· conf 0.95
[COMP001] High cognitive complexity: Function `decode` has cognitive complexity 14 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branc…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
starlette/_exception_handler.py:31
· conf 0.95
[COMP001] High cognitive complexity: Function `wrapped_app` has cognitive complexity 14 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested …COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
[COMP001] High cognitive complexity (and 18 more): Same pattern found in 18 additional files. Review if needed.MINED001
Bare Except Pass
CWE-755
[MINED001] Bare Except Pass (and 3 more): Same pattern found in 3 additional files. Review if needed.MINED050
Stub Only Function
CWE-1188
[MINED050] Stub Only Function (and 7 more): Same pattern found in 7 additional files. Review if needed.MINED050
Stub Only Function
CWE-1188
starlette/authentication.py:95
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
starlette/concurrency.py:36
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
starlette/config.py:11
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED072
Python Pass Only Class
CWE-1188
[MINED072] Python Pass Only Class (and 1 more): Same pattern found in 1 additional files. Review if needed.MINED072
Python Pass Only Class
CWE-1188
starlette/authentication.py:94
· conf 1.00
[MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in.MINED072
Python Pass Only Class
CWE-1188
starlette/concurrency.py:35
· conf 1.00
[MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in.MINED072
Python Pass Only Class
CWE-1188
starlette/config.py:10
· conf 1.00
[MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in.SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 1 more): Same pattern found in 1 additional files. Review if needed.SEC127
AI agent stub — TODO: implement / pass placeholder body
[SEC127] AI agent stub — TODO: implement / pass placeholder body (and 1 more): Same pattern found in 1 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/ccc7a59c-b7cb-442a-a08a-1aa8791f8ad9/.