https://github.com/affaan-m/ECC ·
lang: javascript ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
AIC003 Duplicated implementation block across source files |
low | 30 |
MINED108 self.attribute used but never assigned in __init__ |
high | 25 |
MINED106 Phantom test coverage (assertion-free test) |
high | 18 |
SEC045 eval()/exec() on stored or user-supplied data |
medium | 4 |
MINED111 Bare except continues silently |
medium | 4 |
SEC040 innerHTML XSS — template literal with server-supplied data |
high | 4 |
SEC085 JS: child_process.exec with non-literal |
high | 4 |
MINED044 Js Console Log Prod |
info | 4 |
SEC020 Secret Printed to Logs |
high | 4 |
COMP001 [COMP001] High cognitive complexity: Function `load_yfinanc… |
low | 4 |
MINED024
Js Eval Usage
CWE-95
.opencode/tools/security-audit.ts:233
· conf 1.00
[MINED024] Js Eval Usage: eval() executes arbitrary code. Code injection risk.MINED120
package.json (pre|post)install hook runs network/exec
CWE-506
package.json:1
· conf 0.90
[MINED120] package.json `scripts.postinstall` runs network/exec on install: `scripts.postinstall: echo '\n ecc-universal installed!\n Run: npx ecc typescript\n Compat: npx ecc-install typescript\n…SEC084
JS: require() with non-literal
scripts/hooks/run-with-flags.js:134
· conf 1.00
[SEC084] JS: require() with non-literal: require(<variable>) loads arbitrary modules — equivalent to eval at module scope. Ported from eslint-plugin-security detect-non-literal-require (Apache-2.0).MINED001
Bare Except Pass
CWE-755
skills/videodb/scripts/ws_listener.py:73
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED004
Weak Crypto
CWE-327
scripts/hooks/post-edit-accumulator.js:27
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED004
Weak Crypto
CWE-327
scripts/hooks/stop-format-typecheck.js:43
· conf 1.00
[MINED004] Weak Crypto: MD5/SHA1/DES/RC4 used for security context (not just checksums).MINED106
Phantom test coverage (assertion-free test)
CWE-1126
integrations/aura/tests/test_adapter.py:84
· conf 1.00
[MINED106] Phantom test coverage: test_gate_rejects_unknown_by_default: Test function `test_gate_rejects_unknown_by_default` runs code but contains no assert / expect / should call — it passes regard…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
integrations/aura/tests/test_adapter.py:89
· conf 1.00
[MINED106] Phantom test coverage: test_strict_allow_rejects_new: Test function `test_strict_allow_rejects_new` runs code but contains no assert / expect / should call — it passes regardless of behavi…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
integrations/aura/tests/test_adapter.py:103
· conf 1.00
[MINED106] Phantom test coverage: test_gate_fail_closed_on_unreachable: Test function `test_gate_fail_closed_on_unreachable` runs code but contains no assert / expect / should call — it passes regard…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
integrations/aura/tests/test_adapter.py:116
· conf 1.00
[MINED106] Phantom test coverage: test_fail_open_does_not_pass_reachable_unknown: Test function `test_fail_open_does_not_pass_reachable_unknown` runs code but contains no assert / expect / should cal…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
integrations/aura/tests/test_adapter.py:131
· conf 1.00
[MINED106] Phantom test coverage: test_rejects_bad_did: Test function `test_rejects_bad_did` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line cov…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
skills/continuous-learning-v2/scripts/test_parse_instinct.py:289
· conf 1.00
[MINED106] Phantom test coverage: test_validate_rejects_etc: Test function `test_validate_rejects_etc` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Add…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
skills/continuous-learning-v2/scripts/test_parse_instinct.py:294
· conf 1.00
[MINED106] Phantom test coverage: test_validate_rejects_var_log: Test function `test_validate_rejects_var_log` runs code but contains no assert / expect / should call — it passes regardless of behavi…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
skills/continuous-learning-v2/scripts/test_parse_instinct.py:299
· conf 1.00
[MINED106] Phantom test coverage: test_validate_rejects_usr: Test function `test_validate_rejects_usr` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Add…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
skills/continuous-learning-v2/scripts/test_parse_instinct.py:304
· conf 1.00
[MINED106] Phantom test coverage: test_validate_rejects_proc: Test function `test_validate_rejects_proc` runs code but contains no assert / expect / should call — it passes regardless of behaviour. A…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
skills/continuous-learning-v2/scripts/test_parse_instinct.py:309
· conf 1.00
[MINED106] Phantom test coverage: test_validate_must_exist_fails: Test function `test_validate_must_exist_fails` runs code but contains no assert / expect / should call — it passes regardless of beha…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
skills/skill-comply/tests/test_parser.py:49
· conf 1.00
[MINED106] Phantom test coverage: test_nonexistent_file_raises: Test function `test_nonexistent_file_raises` runs code but contains no assert / expect / should call — it passes regardless of behaviou…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
skills/skill-comply/tests/test_runner.py:67
· conf 1.00
[MINED106] Phantom test coverage: test_tolerates_missing_executable: Test function `test_tolerates_missing_executable` runs code but contains no assert / expect / should call — it passes regardless o…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
skills/skill-comply/tests/test_runner.py:113
· conf 1.00
[MINED106] Phantom test coverage: test_rc1_with_max_turns_marker_returns_normally: Test function `test_rc1_with_max_turns_marker_returns_normally` runs code but contains no assert / expect / should c…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
skills/skill-comply/tests/test_runner.py:132
· conf 1.00
[MINED106] Phantom test coverage: test_rc1_without_max_turns_marker_still_raises: Test function `test_rc1_without_max_turns_marker_still_raises` runs code but contains no assert / expect / should cal…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_builder.py:43
· conf 1.00
[MINED106] Phantom test coverage: test_rejects_config_with_keyword_options: Test function `test_rejects_config_with_keyword_options` runs code but contains no assert / expect / should call — it passe…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_provider_tools.py:95
· conf 1.00
[MINED106] Phantom test coverage: test_openai_provider_rejects_empty_or_filtered_responses: Test function `test_openai_provider_rejects_empty_or_filtered_responses` runs code but contains no assert /…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_resolver.py:36
· conf 1.00
[MINED106] Phantom test coverage: test_invalid_provider_raises: Test function `test_invalid_provider_raises` runs code but contains no assert / expect / should call — it passes regardless of behaviou…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
tests/test_templates.py:69
· conf 1.00
[MINED106] Phantom test coverage: test_register_template_rejects_empty_inputs: Test function `test_register_template_rejects_empty_inputs` runs code but contains no assert / expect / should call — it…MINED108
self.attribute used but never assigned in __init__
CWE-476
ecc_dashboard.py:329
· conf 1.00
[MINED108] `self.update_idletasks` used but never assigned in __init__: Method `center_window` of class `ECCDashboard` reads `self.update_idletasks`, but no assignment to it exists in __init__ (and n…MINED108
self.attribute used but never assigned in __init__
CWE-476
ecc_dashboard.py:330
· conf 1.00
[MINED108] `self.winfo_width` used but never assigned in __init__: Method `center_window` of class `ECCDashboard` reads `self.winfo_width`, but no assignment to it exists in __init__ (and no class-le…MINED108
self.attribute used but never assigned in __init__
CWE-476
ecc_dashboard.py:331
· conf 1.00
[MINED108] `self.winfo_height` used but never assigned in __init__: Method `center_window` of class `ECCDashboard` reads `self.winfo_height`, but no assignment to it exists in __init__ (and no class-…MINED108
self.attribute used but never assigned in __init__
CWE-476
ecc_dashboard.py:332
· conf 1.00
[MINED108] `self.winfo_screenwidth` used but never assigned in __init__: Method `center_window` of class `ECCDashboard` reads `self.winfo_screenwidth`, but no assignment to it exists in __init__ (and…MINED108
self.attribute used but never assigned in __init__
CWE-476
ecc_dashboard.py:333
· conf 1.00
[MINED108] `self.winfo_screenheight` used but never assigned in __init__: Method `center_window` of class `ECCDashboard` reads `self.winfo_screenheight`, but no assignment to it exists in __init__ (a…MINED108
self.attribute used but never assigned in __init__
CWE-476
ecc_dashboard.py:334
· conf 1.00
[MINED108] `self.geometry` used but never assigned in __init__: Method `center_window` of class `ECCDashboard` reads `self.geometry`, but no assignment to it exists in __init__ (and no class-level fa…MINED108
self.attribute used but never assigned in __init__
CWE-476
ecc_dashboard.py:347
· conf 1.00
[MINED108] `self.logo_image` used but never assigned in __init__: Method `create_widgets` of class `ECCDashboard` reads `self.logo_image`, but no assignment to it exists in __init__ (and no class-lev…MINED108
self.attribute used but never assigned in __init__
CWE-476
ecc_dashboard.py:348
· conf 1.00
[MINED108] `self.logo_image` used but never assigned in __init__: Method `create_widgets` of class `ECCDashboard` reads `self.logo_image`, but no assignment to it exists in __init__ (and no class-lev…MINED108
self.attribute used but never assigned in __init__
CWE-476
ecc_dashboard.py:349
· conf 1.00
[MINED108] `self.logo_image` used but never assigned in __init__: Method `create_widgets` of class `ECCDashboard` reads `self.logo_image`, but no assignment to it exists in __init__ (and no class-lev…MINED108
self.attribute used but never assigned in __init__
CWE-476
ecc_dashboard.py:353
· conf 1.00
[MINED108] `self.title_label` used but never assigned in __init__: Method `create_widgets` of class `ECCDashboard` reads `self.title_label`, but no assignment to it exists in __init__ (and no class-l…MINED108
self.attribute used but never assigned in __init__
CWE-476
ecc_dashboard.py:354
· conf 1.00
[MINED108] `self.title_label` used but never assigned in __init__: Method `create_widgets` of class `ECCDashboard` reads `self.title_label`, but no assignment to it exists in __init__ (and no class-l…MINED108
self.attribute used but never assigned in __init__
CWE-476
ecc_dashboard.py:355
· conf 1.00
[MINED108] `self.version_label` used but never assigned in __init__: Method `create_widgets` of class `ECCDashboard` reads `self.version_label`, but no assignment to it exists in __init__ (and no cla…MINED108
self.attribute used but never assigned in __init__
CWE-476
ecc_dashboard.py:356
· conf 1.00
[MINED108] `self.version_label` used but never assigned in __init__: Method `create_widgets` of class `ECCDashboard` reads `self.version_label`, but no assignment to it exists in __init__ (and no cla…MINED108
self.attribute used but never assigned in __init__
CWE-476
ecc_dashboard.py:359
· conf 1.00
[MINED108] `self.notebook` used but never assigned in __init__: Method `create_widgets` of class `ECCDashboard` reads `self.notebook`, but no assignment to it exists in __init__ (and no class-level f…MINED108
self.attribute used but never assigned in __init__
CWE-476
ecc_dashboard.py:360
· conf 1.00
[MINED108] `self.notebook` used but never assigned in __init__: Method `create_widgets` of class `ECCDashboard` reads `self.notebook`, but no assignment to it exists in __init__ (and no class-level f…MINED108
self.attribute used but never assigned in __init__
CWE-476
ecc_dashboard.py:363
· conf 1.00
[MINED108] `self.create_agents_tab` used but never assigned in __init__: Method `create_widgets` of class `ECCDashboard` reads `self.create_agents_tab`, but no assignment to it exists in __init__ (an…MINED108
self.attribute used but never assigned in __init__
CWE-476
ecc_dashboard.py:364
· conf 1.00
[MINED108] `self.create_skills_tab` used but never assigned in __init__: Method `create_widgets` of class `ECCDashboard` reads `self.create_skills_tab`, but no assignment to it exists in __init__ (an…MINED108
self.attribute used but never assigned in __init__
CWE-476
ecc_dashboard.py:365
· conf 1.00
[MINED108] `self.create_commands_tab` used but never assigned in __init__: Method `create_widgets` of class `ECCDashboard` reads `self.create_commands_tab`, but no assignment to it exists in __init__…MINED108
self.attribute used but never assigned in __init__
CWE-476
ecc_dashboard.py:366
· conf 1.00
[MINED108] `self.create_rules_tab` used but never assigned in __init__: Method `create_widgets` of class `ECCDashboard` reads `self.create_rules_tab`, but no assignment to it exists in __init__ (and …MINED108
self.attribute used but never assigned in __init__
CWE-476
ecc_dashboard.py:367
· conf 1.00
[MINED108] `self.create_settings_tab` used but never assigned in __init__: Method `create_widgets` of class `ECCDashboard` reads `self.create_settings_tab`, but no assignment to it exists in __init__…MINED108
self.attribute used but never assigned in __init__
CWE-476
ecc_dashboard.py:373
· conf 1.00
[MINED108] `self.status_label` used but never assigned in __init__: Method `create_widgets` of class `ECCDashboard` reads `self.status_label`, but no assignment to it exists in __init__ (and no class…MINED108
self.attribute used but never assigned in __init__
CWE-476
ecc_dashboard.py:376
· conf 1.00
[MINED108] `self.status_label` used but never assigned in __init__: Method `create_widgets` of class `ECCDashboard` reads `self.status_label`, but no assignment to it exists in __init__ (and no class…MINED108
self.attribute used but never assigned in __init__
CWE-476
ecc_dashboard.py:392
· conf 1.00
[MINED108] `self.agent_search` used but never assigned in __init__: Method `create_agents_tab` of class `ECCDashboard` reads `self.agent_search`, but no assignment to it exists in __init__ (and no cl…MINED108
self.attribute used but never assigned in __init__
CWE-476
ecc_dashboard.py:397
· conf 1.00
[MINED108] `self.agent_count_label` used but never assigned in __init__: Method `create_agents_tab` of class `ECCDashboard` reads `self.agent_count_label`, but no assignment to it exists in __init__ …MINED108
self.attribute used but never assigned in __init__
CWE-476
ecc_dashboard.py:409
· conf 1.00
[MINED108] `self.agent_tree` used but never assigned in __init__: Method `create_agents_tab` of class `ECCDashboard` reads `self.agent_tree`, but no assignment to it exists in __init__ (and no class-…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
integrations/aura/adapter.py:132
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
skills/ios-icon-gen/scripts/generate_icons.swift:118
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
src/llm/providers/ollama.py:73
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC040
innerHTML XSS — template literal with server-supplied data
.opencode/tools/changed-files.ts:60
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
.opencode/tools/check-coverage.ts:95
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC040
innerHTML XSS — template literal with server-supplied data
scripts/codemaps/generate.ts:247
· conf 1.00
[SEC040] innerHTML XSS — template literal with server-supplied data: Setting .innerHTML with a template literal that interpolates server-supplied or user-supplied data is the canonical stored/reflect…SEC083
JS: new RegExp() with non-literal
scripts/ci/check-unicode-safety.js:63
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC083
JS: new RegExp() with non-literal
scripts/hooks/session-end.js:260
· conf 1.00
[SEC083] JS: new RegExp() with non-literal: new RegExp(<variable>) — variable input can craft a ReDoS pattern. Ported from eslint-plugin-security detect-non-literal-regexp (Apache-2.0).SEC085
JS: child_process.exec with non-literal
.opencode/tools/git-summary.ts:52
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
scripts/ci/validate-no-personal-paths.js:60
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).SEC085
JS: child_process.exec with non-literal
scripts/codex/merge-codex-config.js:70
· conf 1.00
[SEC085] JS: child_process.exec with non-literal: child_process.exec with user-derived input enables command injection. Ported from eslint-plugin-security detect-child-process (Apache-2.0).COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
skills/frontend-slides/scripts/extract-pptx.py:18
· conf 0.95
[COMP001] High cognitive complexity: Function `extract_pptx` has cognitive complexity 16 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested…MINED111
Bare except continues silently
ecc_dashboard.py:816
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
skills/continuous-learning-v2/scripts/instinct-cli.py:494
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
skills/continuous-learning-v2/scripts/instinct-cli.py:762
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
src/llm/tools/executor.py:54
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.SEC045
eval()/exec() on stored or user-supplied data
.opencode/tools/security-audit.ts:233
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
scripts/ci/validate-no-personal-paths.js:60
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC045
eval()/exec() on stored or user-supplied data
scripts/codex/merge-codex-config.js:70
· conf 1.00
[SEC045] eval()/exec() on stored or user-supplied data: eval() and exec() on data — even admin-stored data — is a lateral-movement vector after any one credential compromise. Sandboxes (__builtins__ …SEC127
AI agent stub — TODO: implement / pass placeholder body
src/llm/core/interface.py:29
· conf 1.00
[SEC127] AI agent stub — TODO: implement / pass placeholder body: Function body left as TODO/pass/raise NotImplementedError after an AI scaffolding pass. The route appears to exist (and may even pass…SEC136
AI-typical over-broad exception handler swallowing all errors
scripts/preview-pack-smoke.js:169
· conf 1.00
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…AIC002
Source file name looks like an AI patch artifact
scripts/auto-update.js:1
· conf 0.62
Source file name looks like an AI patch artifactAIC003
Duplicated implementation block across source files
.codebuddy/uninstall.js:71
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/hooks/mcp-health-check.js:75
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/hooks/plugin-hook-bootstrap.js:26
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/hooks/post-bash-pr-created.js:24
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/hooks/post-edit-accumulator.js:28
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/hooks/pre-bash-git-push-reminder.js:15
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/hooks/pre-bash-tmux-reminder.js:18
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/hooks/pre-bash-tmux-reminder.js:19
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/hooks/run-with-flags.js:12
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/hooks/run-with-flags.js:13
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/hooks/session-end-marker.js:39
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/install-plan.js:103
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/lib/install/apply.js:6
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/lib/install/request.js:41
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/lib/install-targets/claude-project.js:1
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/lib/install-targets/codebuddy-project.js:14
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/lib/install-targets/cursor-project.js:18
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/lib/install-targets/joycode-project.js:14
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/lib/install-targets/joycode-project.js:21
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/lib/install-targets/zed-project.js:14
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/lib/install-targets/zed-project.js:21
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/lib/skill-evolution/versioning.js:105
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/list-installed.js:8
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/observability-readiness.js:30
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/platform-audit.js:41
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/platform-audit.js:188
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/platform-audit.js:228
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/preview-pack-smoke.js:116
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/preview-pack-smoke.js:129
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
scripts/release-approval-gate.js:101
· conf 0.86
Duplicated implementation block across source filesAIC009
Multiple AI-agent scaffold marker files are present
.github/copilot-instructions.md:1
· conf 0.68
Multiple AI-agent scaffold marker files are presentCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
scripts/hooks/insaits-security-monitor.py:95
· conf 0.95
[COMP001] High cognitive complexity: Function `extract_content` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nest…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
scripts/hooks/insaits-security-monitor.py:187
· conf 0.95
[COMP001] High cognitive complexity: Function `main` has cognitive complexity 10 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branche…SEC132
String concat where the language has interpolation (AI style drift)
.cursor/hooks/after-shell-execution.js:16
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
[COMP001] High cognitive complexity (and 15 more): Same pattern found in 15 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 55 more): Same pattern found in 55 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
.codebuddy/install.js:74
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
.codebuddy/uninstall.js:143
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
.cursor/hooks/after-mcp-execution.js:9
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED050
Stub Only Function
CWE-1188
skills/videodb/scripts/ws_listener.py:74
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
src/llm/core/interface.py:30
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED055
Npm Install No Lockfile
CWE-1357
scripts/hooks/insaits-security-monitor.py:13
· conf 1.00
[MINED055] Npm Install No Lockfile: Production image runs npm install (resolves new versions on every build) instead of npm ci.MINED058
React Dangerously Set Html
CWE-79
.opencode/tools/security-audit.ts:235
· conf 1.00
[MINED058] React Dangerously Set Html: dangerouslySetInnerHTML bypasses Reacts JSX escaping. Pair with DOMPurify or never use with user data.MINED059
Rust Expect In Prod
CWE-755
ecc2/src/session/output.rs:166
· conf 1.00
[MINED059] Rust Expect In Prod: .expect(...) panics same as unwrap with a custom message.MINED062
Python Dataclass No Fields
integrations/aura/adapter.py:64
· conf 1.00
[MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.MINED064
Python Input Call
src/llm/cli/selector.py:43
· conf 1.00
[MINED064] Python Input Call: input() blocks for stdin. Inappropriate in services.SEC020
Secret Printed to Logs
[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed.SEC020
Secret Printed to Logs
.cursor/hooks/before-submit-prompt.js:16
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
scripts/codex/merge-codex-config.js:218
· conf 0.10
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
scripts/control-pane.js:36
· conf 0.10
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC040
innerHTML XSS — template literal with server-supplied data
[SEC040] innerHTML XSS — template literal with server-supplied data (and 3 more): Same pattern found in 3 additional files. Review if needed.SEC045
eval()/exec() on stored or user-supplied data
[SEC045] eval()/exec() on stored or user-supplied data (and 1 more): Same pattern found in 1 additional files. Review if needed.SEC085
JS: child_process.exec with non-literal
[SEC085] JS: child_process.exec with non-literal (and 1 more): Same pattern found in 1 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/cee07bfa-32f3-4702-be86-74f070e7d41b/.