https://github.com/cloudwego/abcoder ·
lang: go ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 13 |
AIC003 Duplicated implementation block across source files |
low | 6 |
MINED113 Express POST/PUT/DELETE/PATCH route without auth |
high | 6 |
MINED071 Go Panic Call |
info | 4 |
SEC020 Secret Printed to Logs |
high | 4 |
MINED052 Ts Any Typed |
info | 4 |
MINED060 Go Context No Cancel |
info | 4 |
MINED044 Js Console Log Prod |
info | 4 |
MINED045 Ts Non Null Assertion |
info | 3 |
MINED054 Ts As Any |
info | 3 |
MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
ts-parser/test-repo/src/index.ts:65
· conf 0.80
[MINED113] Express POST /api/token has no auth: Express route POST /api/token declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated …MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
ts-parser/test-repo/src/index.ts:72
· conf 0.80
[MINED113] Express POST /api/hash-password has no auth: Express route POST /api/hash-password declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on …MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
ts-parser/test-repo/src/routes/AuthRoutes.ts:25
· conf 0.80
[MINED113] Express POST /register has no auth: Express route POST /register declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated ro…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
ts-parser/test-repo/src/routes/AuthRoutes.ts:64
· conf 0.80
[MINED113] Express POST /login has no auth: Express route POST /login declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes a…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
ts-parser/test-repo/src/routes/AuthRoutes.ts:107
· conf 0.80
[MINED113] Express POST /refresh-token has no auth: Express route POST /refresh-token declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthen…MINED113
Express POST/PUT/DELETE/PATCH route without auth
CWE-306CWE-862
ts-parser/test-repo/src/routes/UserRoutes.ts:26
· conf 0.80
[MINED113] Express POST / has no auth: Express route POST / declared without an auth middleware in its handler chain. Destructive methods (POST/PUT/DELETE/PATCH) on unauthenticated routes are OWASP A…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/go-test.yml:31
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/go-test.yml:34
· conf 0.90
[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/go-test.yml:39
· conf 0.90
[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/pr-check.yml:9
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/pr-check.yml:12
· conf 0.90
[MINED115] Action `apache/skywalking-eyes/header` pinned to mutable ref `@v0.4.0`: `uses: apache/skywalking-eyes/[email protected]` resolves at workflow-run time. Tags and branches can be re-pushed by th…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/regression.yml:27
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/regression.yml:32
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/regression.yml:38
· conf 0.90
[MINED115] Action `actions/setup-go` pinned to mutable ref `@v5`: `uses: actions/setup-go@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/regression.yml:46
· conf 0.90
[MINED115] Action `dtolnay/rust-toolchain` pinned to mutable ref `@stable`: `uses: dtolnay/rust-toolchain@stable` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/regression.yml:52
· conf 0.90
[MINED115] Action `actions/setup-python` pinned to mutable ref `@v5`: `uses: actions/setup-python@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/regression.yml:57
· conf 0.90
[MINED115] Action `actions/setup-java` pinned to mutable ref `@v4`: `uses: actions/setup-java@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/regression.yml:63
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/regression.yml:112
· conf 0.90
[MINED115] Action `actions/upload-artifact` pinned to mutable ref `@v4`: `uses: actions/upload-artifact@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that…MINED128
go.mod replace directive points to local path or unrelated fork
CWE-829
testdata/go/0_golang/cmd/go.mod:4
· conf 0.90
[MINED128] go.mod replaces `a.b/c` — points to a LOCAL path: `replace a.b/c => ../.` overrides the canonical dependency with a different source (points to a LOCAL path). Local-path replaces are fine …MINED130
package-lock resolved URL points off canonical registry
CWE-829
ts-parser/src/parser/test/package-lock.json:1
· conf 0.90
[MINED130] Lockfile pulls package from off-canonical host `bnpm.byted.org`: `package-lock.json` resolved URL for `node_modules/@ampproject/remapping` is `https://bnpm.byted.org/@ampproject/remapping/…MINED130
package-lock resolved URL points off canonical registry
CWE-829
ts-parser/src/utils/test/package-lock.json:1
· conf 0.90
[MINED130] Lockfile pulls package from off-canonical host `bnpm.byted.org`: `package-lock.json` resolved URL for `node_modules/@ampproject/remapping` is `https://bnpm.byted.org/@ampproject/remapping/…MINED134
[MINED134] Binary file `bin/ref/ScriptoriaCommonDefs.dll` committed in source repo: `bin/ref/ScriptoriaCommonDefs.dll` is a .dll binary (29,208 bytes) committed to a repo that otherwise has 1643 source files. Trojan binaries inside otherwise-normal source repos are a known supply-chain attack: a compromised dependency or PR slips in a binary that gets executed by build scripts.
lang/java/ipc/abcoder-java-analyzer-1.0-SNAPSHOT.jar:1
· conf 0.90
[MINED134] Binary file `lang/java/ipc/abcoder-java-analyzer-1.0-SNAPSHOT.jar` committed in source repo: `lang/java/ipc/abcoder-java-analyzer-1.0-SNAPSHOT.jar` is a .jar binary (18,763,322 bytes) comm…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
lang/java/pb/lib.go:143
· conf 1.00
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.25…SEC093
Go: exec.Command with non-literal
lang/java/ipc/server.go:180
· conf 1.00
[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) — variable command name allows command injection. Ported from gosec G204 (Apache-2.0).SEC093
Go: exec.Command with non-literal
lang/lsp/client.go:247
· conf 1.00
[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) — variable command name allows command injection. Ported from gosec G204 (Apache-2.0).SEC093
Go: exec.Command with non-literal
lang/rust/repo.go:157
· conf 1.00
[SEC093] Go: exec.Command with non-literal: exec.Command(<var>) — variable command name allows command injection. Ported from gosec G204 (Apache-2.0).SEC128
Async function without await — fire-and-forget Promise (AI mistake)
ts-parser/src/utils/cluster-processor.ts:217
· conf 1.00
[SEC128] Async function without await — fire-and-forget Promise (AI mistake): Async call invoked without `await` returns an unhandled Promise. The outer function resolves before the inner work comple…SEC135
Auth/permission check missing on AI-generated endpoint
ts-parser/test-repo/src/index.ts:65
· conf 1.00
[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…SEC135
Auth/permission check missing on AI-generated endpoint
ts-parser/test-repo/src/routes/AuthRoutes.ts:107
· conf 1.00
[SEC135] Auth/permission check missing on AI-generated endpoint: Mutating HTTP endpoint generated by an AI agent without an auth decorator or middleware. The number-one production-incident pattern we…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
script/diffjson.py:66
· conf 0.95
[COMP001] High cognitive complexity: Function `format_diff_custom` has cognitive complexity 16 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — …COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
script/diffjson.py:191
· conf 0.95
[COMP001] High cognitive complexity: Function `main` has cognitive complexity 15 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branche…MINED124
requirements.txt entry has no version pin
CWE-1357
script/requirements.txt:1
· conf 0.90
[MINED124] requirements.txt: `deepdiff` has no version pin: Unpinned pip requirement means every fresh install may resolve a different version. Newer releases can introduce malicious code (typosquats…SEC119
World-writable / world-readable file permissions
internal/cmd/init_spec.go:151
· conf 1.00
[SEC119] World-writable / world-readable file permissions: World-writable files let any local user (or container neighbor) tamper with data; world-readable files leak secrets.AIC003
Duplicated implementation block across source files
lang/cpp/spec.go:255
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
lang/utils/err.go:11
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
lang/utils/strings.go:40
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
testdata/python/1_single/main.py:15
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
testdata/python/1_single/main.py:46
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
ts-parser/src/parser/VarParser.ts:384
· conf 0.86
Duplicated implementation block across source filesCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
script/diffjson.py:150
· conf 0.95
[COMP001] High cognitive complexity: Function `process_directory_comparison` has cognitive complexity 14 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to und…ERR003
[ERR003] Ignored Error (Go): Ignoring error return values.
lang/lsp/lsp.go:168
· conf 1.00
[ERR003] Ignored Error (Go): Ignoring error return values.ERR003
[ERR003] Ignored Error (Go): Ignoring error return values.
lang/parse.go:70
· conf 1.00
[ERR003] Ignored Error (Go): Ignoring error return values.ERR003
[ERR003] Ignored Error (Go): Ignoring error return values.
lang/utils/files.go:28
· conf 1.00
[ERR003] Ignored Error (Go): Ignoring error return values.SEC132
String concat where the language has interpolation (AI style drift)
lang/java/pb/lib.go:140
· conf 1.00
[SEC132] String concat where the language has interpolation (AI style drift): String built by concatenation where the language has cleaner interpolation (Python f-strings since 3.6, JS template liter…MINED044
Js Console Log Prod
CWE-532
[MINED044] Js Console Log Prod (and 12 more): Same pattern found in 12 additional files. Review if needed.MINED044
Js Console Log Prod
CWE-532
ts-parser/src/index.ts:31
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
ts-parser/src/parser/ModuleParser.ts:34
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED044
Js Console Log Prod
CWE-532
ts-parser/src/parser/RepositoryParser.ts:44
· conf 1.00
[MINED044] Js Console Log Prod: console.log left in code. Should be replaced with logger or removed.MINED045
Ts Non Null Assertion
CWE-476
ts-parser/src/utils/graph-builder.ts:101
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
ts-parser/src/utils/parsing-strategy.ts:132
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED045
Ts Non Null Assertion
CWE-476
ts-parser/src/utils/typescript-structure.ts:155
· conf 1.00
[MINED045] Ts Non Null Assertion: x! asserts not null - bypasses null checks - TypeError if wrong.MINED050
Stub Only Function
CWE-1188
script/diffjson.py:63
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED052
Ts Any Typed
CWE-704
[MINED052] Ts Any Typed (and 4 more): Same pattern found in 4 additional files. Review if needed.MINED052
Ts Any Typed
CWE-704
ts-parser/src/parser/ModuleParser.ts:28
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
ts-parser/src/parser/RepositoryParser.ts:221
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED052
Ts Any Typed
CWE-704
ts-parser/src/utils/tsconfig-cache.ts:9
· conf 1.00
[MINED052] Ts Any Typed: : any used as type annotation. Defeats TypeScript type safety.MINED054
Ts As Any
CWE-704
ts-parser/src/parser/RepositoryParser.ts:224
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
ts-parser/src/utils/cluster-processor.ts:179
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED054
Ts As Any
CWE-704
ts-parser/test-repo/src/routes/AuthRoutes.ts:115
· conf 1.00
[MINED054] Ts As Any: Casting to any (as any) bypasses type checking entirely.MINED060
Go Context No Cancel
CWE-401
[MINED060] Go Context No Cancel (and 2 more): Same pattern found in 2 additional files. Review if needed.MINED060
Go Context No Cancel
CWE-401
lang/lsp/client.go:59
· conf 1.00
[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.MINED060
Go Context No Cancel
CWE-401
lang/rust/utils/lsp.go:88
· conf 1.00
[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.MINED060
Go Context No Cancel
CWE-401
llm/agent/cmd.go:48
· conf 1.00
[MINED060] Go Context No Cancel: context.Background() at request handler boundary leaks goroutines.MINED065
Cors Wildcard
CWE-942CWE-346
ts-parser/test-repo/src/config/app.config.ts:17
· conf 1.00
[MINED065] Cors Wildcard: Access-Control-Allow-Origin: * exposes the API to any browser origin. Acceptable for public read-only endpoints; dangerous when paired with credentials or write endpoints.MINED071
Go Panic Call
CWE-755
[MINED071] Go Panic Call (and 13 more): Same pattern found in 13 additional files. Review if needed.MINED071
Go Panic Call
CWE-755
lang/cpp/spec.go:108
· conf 1.00
[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.MINED071
Go Panic Call
CWE-755
lang/cxx/spec.go:65
· conf 1.00
[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.MINED071
Go Panic Call
CWE-755
lang/java/lib_ipc.go:75
· conf 1.00
[MINED071] Go Panic Call: panic() crashes the process. Should return error in most cases.MINED074
Ai Tell Fake Citation
ts-parser/test-repo/src/services/api.ts:33
· conf 1.00
[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination.MINED074
Ai Tell Fake Citation
ts-parser/test-repo/src/services/ExportDefault.ts:4
· conf 1.00
[MINED074] Ai Tell Fake Citation: Plausible-looking but non-existent URLs (e.g., docs.example.com/v2). Common AI hallucination.SEC020
Secret Printed to Logs
[SEC020] Secret Printed to Logs (and 1 more): Same pattern found in 1 additional files. Review if needed.SEC020
Secret Printed to Logs
ts-parser/src/parser/RepositoryParser.ts:309
· conf 0.10
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
ts-parser/test-repo/src/middleware/AuthMiddleware.ts:25
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
ts-parser/test-repo/src/routes/AuthRoutes.ts:124
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/db702b90-6668-4796-b198-40ebefc82950/.