https://github.com/HKUDS/DeepTutor.git ·
lang: python ·
LOC: ·
source: user_submitted
| Rule | Severity | Count |
|---|---|---|
MINED108 self.attribute used but never assigned in __init__ |
high | 25 |
MINED112 FastAPI POST/PUT/DELETE/PATCH endpoint without auth |
high | 25 |
MINED111 Bare except continues silently |
medium | 25 |
AIC003 Duplicated implementation block across source files |
low | 19 |
MINED107 Missing Python import (NameError at runtime) |
critical | 14 |
MINED115 GitHub Action pinned to mutable ref (not 40-char SHA) |
high | 11 |
AUC003 [AUC003] Object-level route lacks visible authorization: A … |
high | 10 |
AUC004 [AUC004] Admin route does not show super_admin separation: … |
medium | 10 |
AUC009 [AUC009] Sensitive function route lacks elevated authorizat… |
medium | 10 |
MINED118 Dockerfile FROM not pinned by sha256 digest |
high | 5 |
AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
deeptutor/api/routers/book.py:154
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
deeptutor/api/routers/book.py:171
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
deeptutor/api/routers/book.py:180
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
deeptutor/api/routers/book.py:189
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
deeptutor/api/routers/book.py:423
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
deeptutor/api/routers/co_writer.py:432
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
deeptutor/api/routers/co_writer.py:447
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
deeptutor/multi_user/router.py:138
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
deeptutor/multi_user/router.py:144
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…AUC003
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. Endpoint: ANY /plugins/<slug:plugin_slug>/.
deeptutor/multi_user/router.py:174
· conf 0.70
[AUC003] Object-level route lacks visible authorization: A route with an object id-like parameter does not show nearby authentication or authorization evidence. This is a BOLA/IDOR review target. End…DKR006
Dockerfile pipes a remote script into a shell
Dockerfile:77
· conf 0.92
Dockerfile pipes a remote script into a shellMINED001
Bare Except Pass
CWE-755
deeptutor/agents/research/utils/json_utils.py:30
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED001
Bare Except Pass
CWE-755
deeptutor/api/routers/chat.py:242
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED001
Bare Except Pass
CWE-755
deeptutor/api/routers/unified_ws.py:68
· conf 1.00
[MINED001] Bare Except Pass: except: pass or except Exception: pass — silently swallows everything including KeyboardInterrupt and bugs.MINED009
Floats For Money
CWE-682
deeptutor/logging/stats/llm_stats.py:64
· conf 1.00
[MINED009] Floats For Money: Variable named price/amount/cost typed as float instead of Decimal.MINED014
Disabled Tls Verify
CWE-295
deeptutor/services/llm/provider_core/openai_codex_provider.py:86
· conf 1.00
[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go.MINED020
Logging Credential Via Fstring
CWE-532
deeptutor/logging/stats/llm_stats.py:173
· conf 1.00
[MINED020] Logging Credential Via Fstring: logger.error(f"failed for {api_key}") — secrets end up in log aggregators / sentry.MINED106
Phantom test coverage (assertion-free test)
CWE-1126
deeptutor/api/routers/system.py:149
· conf 1.00
[MINED106] Phantom test coverage: test_llm_connection: Test function `test_llm_connection` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line cover…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
deeptutor/api/routers/system.py:217
· conf 1.00
[MINED106] Phantom test coverage: test_embeddings_connection: Test function `test_embeddings_connection` runs code but contains no assert / expect / should call — it passes regardless of behaviour. A…MINED106
Phantom test coverage (assertion-free test)
CWE-1126
deeptutor/api/routers/system.py:274
· conf 1.00
[MINED106] Phantom test coverage: test_search_connection: Test function `test_search_connection` runs code but contains no assert / expect / should call — it passes regardless of behaviour. Adds line…MINED108
self.attribute used but never assigned in __init__
CWE-476
deeptutor/knowledge/manager.py:355
· conf 1.00
[MINED108] `self._load_config` used but never assigned in __init__: Method `update_kb_status` of class `KnowledgeBaseManager` reads `self._load_config`, but no assignment to it exists in __init__ (an…MINED108
self.attribute used but never assigned in __init__
CWE-476
deeptutor/knowledge/manager.py:432
· conf 1.00
[MINED108] `self._save_config` used but never assigned in __init__: Method `update_kb_status` of class `KnowledgeBaseManager` reads `self._save_config`, but no assignment to it exists in __init__ (an…MINED108
self.attribute used but never assigned in __init__
CWE-476
deeptutor/knowledge/manager.py:433
· conf 1.00
[MINED108] `self._sync_kb_to_pb` used but never assigned in __init__: Method `update_kb_status` of class `KnowledgeBaseManager` reads `self._sync_kb_to_pb`, but no assignment to it exists in __init__…MINED108
self.attribute used but never assigned in __init__
CWE-476
deeptutor/knowledge/manager.py:437
· conf 1.00
[MINED108] `self._load_config` used but never assigned in __init__: Method `get_kb_status` of class `KnowledgeBaseManager` reads `self._load_config`, but no assignment to it exists in __init__ (and n…MINED108
self.attribute used but never assigned in __init__
CWE-476
deeptutor/knowledge/manager.py:458
· conf 1.00
[MINED108] `self._load_config` used but never assigned in __init__: Method `list_knowledge_bases` of class `KnowledgeBaseManager` reads `self._load_config`, but no assignment to it exists in __init__…MINED108
self.attribute used but never assigned in __init__
CWE-476
deeptutor/knowledge/manager.py:516
· conf 1.00
[MINED108] `self._auto_register_kb` used but never assigned in __init__: Method `list_knowledge_bases` of class `KnowledgeBaseManager` reads `self._auto_register_kb`, but no assignment to it exists i…MINED108
self.attribute used but never assigned in __init__
CWE-476
deeptutor/knowledge/manager.py:521
· conf 1.00
[MINED108] `self._save_config` used but never assigned in __init__: Method `list_knowledge_bases` of class `KnowledgeBaseManager` reads `self._save_config`, but no assignment to it exists in __init__…MINED108
self.attribute used but never assigned in __init__
CWE-476
deeptutor/knowledge/manager.py:600
· conf 1.00
[MINED108] `self.set_default` used but never assigned in __init__: Method `register_knowledge_base` of class `KnowledgeBaseManager` reads `self.set_default`, but no assignment to it exists in __init_…MINED108
self.attribute used but never assigned in __init__
CWE-476
deeptutor/knowledge/manager.py:602
· conf 1.00
[MINED108] `self._save_config` used but never assigned in __init__: Method `register_knowledge_base` of class `KnowledgeBaseManager` reads `self._save_config`, but no assignment to it exists in __ini…MINED108
self.attribute used but never assigned in __init__
CWE-476
deeptutor/knowledge/manager.py:619
· conf 1.00
[MINED108] `self.get_knowledge_base_path` used but never assigned in __init__: Method `get_rag_storage_path` of class `KnowledgeBaseManager` reads `self.get_knowledge_base_path`, but no assignment to…MINED108
self.attribute used but never assigned in __init__
CWE-476
deeptutor/knowledge/manager.py:635
· conf 1.00
[MINED108] `self.get_knowledge_base_path` used but never assigned in __init__: Method `get_images_path` of class `KnowledgeBaseManager` reads `self.get_knowledge_base_path`, but no assignment to it e…MINED108
self.attribute used but never assigned in __init__
CWE-476
deeptutor/knowledge/manager.py:640
· conf 1.00
[MINED108] `self.get_knowledge_base_path` used but never assigned in __init__: Method `get_content_list_path` of class `KnowledgeBaseManager` reads `self.get_knowledge_base_path`, but no assignment t…MINED108
self.attribute used but never assigned in __init__
CWE-476
deeptutor/knowledge/manager.py:645
· conf 1.00
[MINED108] `self.get_knowledge_base_path` used but never assigned in __init__: Method `get_raw_path` of class `KnowledgeBaseManager` reads `self.get_knowledge_base_path`, but no assignment to it exis…MINED108
self.attribute used but never assigned in __init__
CWE-476
deeptutor/knowledge/manager.py:650
· conf 1.00
[MINED108] `self.list_knowledge_bases` used but never assigned in __init__: Method `set_default` of class `KnowledgeBaseManager` reads `self.list_knowledge_bases`, but no assignment to it exists in _…MINED108
self.attribute used but never assigned in __init__
CWE-476
deeptutor/knowledge/manager.py:676
· conf 1.00
[MINED108] `self.list_knowledge_bases` used but never assigned in __init__: Method `get_default` of class `KnowledgeBaseManager` reads `self.list_knowledge_bases`, but no assignment to it exists in _…MINED108
self.attribute used but never assigned in __init__
CWE-476
deeptutor/knowledge/manager.py:682
· conf 1.00
[MINED108] `self.list_knowledge_bases` used but never assigned in __init__: Method `get_default` of class `KnowledgeBaseManager` reads `self.list_knowledge_bases`, but no assignment to it exists in _…MINED108
self.attribute used but never assigned in __init__
CWE-476
deeptutor/knowledge/manager.py:708
· conf 1.00
[MINED108] `self.get_default` used but never assigned in __init__: Method `get_metadata` of class `KnowledgeBaseManager` reads `self.get_default`, but no assignment to it exists in __init__ (and no c…MINED108
self.attribute used but never assigned in __init__
CWE-476
deeptutor/knowledge/manager.py:713
· conf 1.00
[MINED108] `self._load_config` used but never assigned in __init__: Method `get_metadata` of class `KnowledgeBaseManager` reads `self._load_config`, but no assignment to it exists in __init__ (and no…MINED108
self.attribute used but never assigned in __init__
CWE-476
deeptutor/knowledge/manager.py:729
· conf 1.00
[MINED108] `self._embedding_fields` used but never assigned in __init__: Method `get_metadata` of class `KnowledgeBaseManager` reads `self._embedding_fields`, but no assignment to it exists in __init…MINED108
self.attribute used but never assigned in __init__
CWE-476
deeptutor/knowledge/manager.py:746
· conf 1.00
[MINED108] `self._load_config` used but never assigned in __init__: Method `get_info` of class `KnowledgeBaseManager` reads `self._load_config`, but no assignment to it exists in __init__ (and no cla…MINED108
self.attribute used but never assigned in __init__
CWE-476
deeptutor/knowledge/manager.py:748
· conf 1.00
[MINED108] `self.get_default` used but never assigned in __init__: Method `get_info` of class `KnowledgeBaseManager` reads `self.get_default`, but no assignment to it exists in __init__ (and no class…MINED108
self.attribute used but never assigned in __init__
CWE-476
deeptutor/knowledge/manager.py:829
· conf 1.00
[MINED108] `self._embedding_fields` used but never assigned in __init__: Method `get_info` of class `KnowledgeBaseManager` reads `self._embedding_fields`, but no assignment to it exists in __init__ (…MINED108
self.attribute used but never assigned in __init__
CWE-476
deeptutor/knowledge/manager.py:837
· conf 1.00
[MINED108] `self.get_default` used but never assigned in __init__: Method `get_info` of class `KnowledgeBaseManager` reads `self.get_default`, but no assignment to it exists in __init__ (and no class…MINED108
self.attribute used but never assigned in __init__
CWE-476
deeptutor/knowledge/progress_tracker.py:204
· conf 1.00
[MINED108] `self._save_progress` used but never assigned in __init__: Method `update` of class `ProgressTracker` reads `self._save_progress`, but no assignment to it exists in __init__ (and no class-…MINED108
self.attribute used but never assigned in __init__
CWE-476
deeptutor/knowledge/progress_tracker.py:214
· conf 1.00
[MINED108] `self._notify` used but never assigned in __init__: Method `update` of class `ProgressTracker` reads `self._notify`, but no assignment to it exists in __init__ (and no class-level fallback…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
deeptutor/api/routers/book.py:190
· conf 0.80
[MINED112] FastAPI DELETE /books/{book_id} has no auth: Handler `delete_book` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
deeptutor/api/routers/book.py:199
· conf 0.80
[MINED112] FastAPI POST /books has no auth: Handler `create_book` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
deeptutor/api/routers/book.py:225
· conf 0.80
[MINED112] FastAPI POST /books/confirm-proposal has no auth: Handler `confirm_proposal` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appear…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
deeptutor/api/routers/book.py:248
· conf 0.80
[MINED112] FastAPI POST /books/confirm-spine has no auth: Handler `confirm_spine` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in t…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
deeptutor/api/routers/book.py:272
· conf 0.80
[MINED112] FastAPI POST /books/compile-page has no auth: Handler `compile_page` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
deeptutor/api/routers/book.py:286
· conf 0.80
[MINED112] FastAPI POST /books/regenerate-block has no auth: Handler `regenerate_block` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appear…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
deeptutor/api/routers/book.py:318
· conf 0.80
[MINED112] FastAPI POST /books/insert-block has no auth: Handler `insert_block` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
deeptutor/api/routers/book.py:339
· conf 0.80
[MINED112] FastAPI POST /books/delete-block has no auth: Handler `delete_block` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
deeptutor/api/routers/book.py:348
· conf 0.80
[MINED112] FastAPI POST /books/move-block has no auth: Handler `move_block` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the fun…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
deeptutor/api/routers/book.py:362
· conf 0.80
[MINED112] FastAPI POST /books/change-block-type has no auth: Handler `change_block_type` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appe…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
deeptutor/api/routers/book.py:382
· conf 0.80
[MINED112] FastAPI POST /books/deep-dive has no auth: Handler `deep_dive` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the funct…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
deeptutor/api/routers/book.py:402
· conf 0.80
[MINED112] FastAPI POST /books/quiz-attempt has no auth: Handler `quiz_attempt` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
deeptutor/api/routers/book.py:424
· conf 0.80
[MINED112] FastAPI POST /books/{book_id}/refresh-fingerprints has no auth: Handler `refresh_fingerprints` is registered with router/app.post(...) but no Depends/Security parameter is declared and no …MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
deeptutor/api/routers/book.py:433
· conf 0.80
[MINED112] FastAPI POST /books/supplement has no auth: Handler `supplement` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the fun…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
deeptutor/api/routers/book.py:450
· conf 0.80
[MINED112] FastAPI POST /books/page-chat-session has no auth: Handler `set_page_chat_session` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker …MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
deeptutor/api/routers/book.py:463
· conf 0.80
[MINED112] FastAPI POST /books/rebuild has no auth: Handler `rebuild_book` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the func…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
deeptutor/api/routers/co_writer.py:357
· conf 0.80
[MINED112] FastAPI POST /edit has no auth: Handler `edit_text` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
deeptutor/api/routers/co_writer.py:381
· conf 0.80
[MINED112] FastAPI POST /edit_react has no auth: Handler `edit_text_react` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the func…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
deeptutor/api/routers/co_writer.py:392
· conf 0.80
[MINED112] FastAPI POST /edit_react/stream has no auth: Handler `edit_text_react_stream` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appea…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
deeptutor/api/routers/skills.py:67
· conf 0.80
[MINED112] FastAPI POST /tags/create has no auth: Handler `create_tag` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
deeptutor/api/routers/skills.py:79
· conf 0.80
[MINED112] FastAPI PUT /tags/{tag} has no auth: Handler `rename_tag` is registered with router/app.put(...) but no Depends/Security parameter is declared and no auth marker appears in the function bo…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
deeptutor/api/routers/skills.py:93
· conf 0.80
[MINED112] FastAPI DELETE /tags/{tag} has no auth: Handler `delete_tag` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the funct…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
deeptutor/api/routers/skills.py:148
· conf 0.80
[MINED112] FastAPI POST /create has no auth: Handler `create_skill` is registered with router/app.post(...) but no Depends/Security parameter is declared and no auth marker appears in the function bo…MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
deeptutor/api/routers/skills.py:167
· conf 0.80
[MINED112] FastAPI PUT /{name} has no auth: Handler `update_skill` is registered with router/app.put(...) but no Depends/Security parameter is declared and no auth marker appears in the function body.MINED112
FastAPI POST/PUT/DELETE/PATCH endpoint without auth
CWE-306CWE-862
deeptutor/api/routers/skills.py:189
· conf 0.80
[MINED112] FastAPI DELETE /{name} has no auth: Handler `delete_skill` is registered with router/app.delete(...) but no Depends/Security parameter is declared and no auth marker appears in the functio…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/docker-release.yml:28
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/pypi-release.yml:38
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/pypi-release.yml:56
· conf 0.90
[MINED115] Action `actions/setup-python` pinned to mutable ref `@v5`: `uses: actions/setup-python@v5` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/pypi-release.yml:61
· conf 0.90
[MINED115] Action `actions/setup-node` pinned to mutable ref `@v4`: `uses: actions/setup-node@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the …MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/pypi-release.yml:151
· conf 0.90
[MINED115] Action `pypa/gh-action-pypi-publish` pinned to mutable ref `@release/v1`: `uses: pypa/gh-action-pypi-publish@release/v1` resolves at workflow-run time. Tags and branches can be re-pushed b…MINED115
GitHub Action pinned to mutable ref (not 40-char SHA)
CWE-829
.github/workflows/tests.yml:45
· conf 0.90
[MINED115] Action `actions/checkout` pinned to mutable ref `@v4`: `uses: actions/checkout@v4` resolves at workflow-run time. Tags and branches can be re-pushed by the action owner; that made the tj-a…AUC001
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.
[AUC001] No Repobility access matrix policy found: The repository uses web/API frameworks but does not define .repobility/access.yml or equivalent authorization documentation.AUC002
[AUC002] Low visible authorization coverage in route inventory: Only 0.0% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.
[AUC002] Low visible authorization coverage in route inventory: Only 19.6% of discovered routes show nearby authentication, authorization, middleware, or public-route evidence.AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
deeptutor/api/routers/knowledge.py:702
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
deeptutor/api/routers/knowledge.py:811
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
deeptutor/api/routers/skills.py:107
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
deeptutor/api/routers/skills.py:123
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
deeptutor/multi_user/router.py:117
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
deeptutor/multi_user/router.py:129
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
deeptutor/multi_user/router.py:138
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
deeptutor/multi_user/router.py:144
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
deeptutor/multi_user/router.py:169
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC004
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin access. Endpoint: ANY /plugins/<slug:plugin_slug>/.
deeptutor/multi_user/router.py:174
· conf 0.66
[AUC004] Admin route does not show super_admin separation: An administrative route was detected without nearby evidence that platform super_admin access is separated from tenant/application admin acc…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
deeptutor/api/routers/book.py:189
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
deeptutor/api/routers/book.py:198
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
deeptutor/api/routers/book.py:338
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
deeptutor/api/routers/book.py:347
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
deeptutor/api/routers/co_writer.py:462
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
deeptutor/api/routers/co_writer.py:585
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
deeptutor/api/routers/knowledge.py:1675
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
deeptutor/api/routers/question_notebook.py:269
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
deeptutor/api/routers/skills.py:92
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC009
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without elevated policy evidence. Endpoint: DELETE /items/{item_id}.
deeptutor/api/routers/skills.py:188
· conf 0.68
[AUC009] Sensitive function route lacks elevated authorization evidence: A route appears to perform a sensitive function such as export, invite, role, token, billing, or destructive action without el…AUC012
[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, protect them behind admin authentication, or publish a reviewed OpenAPI spec with declared security requirements.
[AUC012] FastAPI interactive docs may be exposed by framework defaults: FastAPI exposes /docs, /redoc, and /openapi.json by default. Public production APIs should explicitly disable those defaults, p…CFG006
[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.
[CFG006] Missing .gitignore: No .gitignore file. Risk of committing secrets and build artifacts.DKR001
Docker final stage has no non-root USER
Dockerfile:397
· conf 0.82
Docker final stage has no non-root USERDKR002
Dockerfile base image has no explicit tag
Dockerfile:330
· conf 0.90
Dockerfile base image has no explicit tagDKR002
Dockerfile base image has no explicit tag
Dockerfile:331
· conf 0.90
Dockerfile base image has no explicit tagDKR002
Dockerfile base image has no explicit tag
Dockerfile:338
· conf 0.90
Dockerfile base image has no explicit tagDKR002
Dockerfile base image has no explicit tag
Dockerfile:368
· conf 0.90
Dockerfile base image has no explicit tagDKR007
Docker build context has no .dockerignore
.dockerignore
· conf 0.90
Docker build context has no .dockerignoreERR001
[ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
deeptutor/api/routers/chat.py:242
· conf 1.00
[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.ERR001
[ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
deeptutor/api/routers/vision_solver.py:260
· conf 1.00
[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.ERR001
[ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
deeptutor/api/utils/task_id_manager.py:93
· conf 1.00
[ERR001] Silent Exception Swallowing: Silently swallowing all exceptions hides bugs. Even in cleanup code, log at DEBUG level.MINED111
Bare except continues silently
deeptutor/knowledge/add_documents.py:87
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
deeptutor/knowledge/add_documents.py:167
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
deeptutor/knowledge/add_documents.py:181
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
deeptutor/knowledge/add_documents.py:304
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
deeptutor/knowledge/initializer.py:85
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
deeptutor/knowledge/initializer.py:305
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
deeptutor/knowledge/manager.py:104
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
deeptutor/knowledge/manager.py:1081
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
deeptutor/knowledge/manager.py:1134
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
deeptutor/knowledge/manager.py:1160
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
deeptutor/knowledge/manager.py:1249
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
deeptutor/knowledge/manager.py:1287
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
deeptutor/knowledge/manager.py:1399
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
deeptutor/knowledge/manager.py:1406
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
deeptutor/knowledge/manager.py:1414
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
deeptutor/knowledge/manager.py:1420
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
deeptutor/logging/loguru_bridge.py:13
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
deeptutor/logging/process_stream.py:83
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
deeptutor/multi_user/audit.py:24
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
deeptutor/multi_user/grants.py:56
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
deeptutor/multi_user/skill_access.py:57
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
deeptutor/runtime/launcher.py:396
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
deeptutor/runtime/launcher.py:429
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
deeptutor/runtime/launcher.py:459
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.MINED111
Bare except continues silently
deeptutor/services/auth.py:95
· conf 1.00
[MINED111] Bare except continues silently: Bare `except:` (or `except Exception:`) that runs code without re-raising or logging the exception. Hides real failures and makes bugs hard to diagnose.SEC002
Hardcoded API Key
deeptutor/api/routers/system.py:171
· conf 0.30
[SEC002] Hardcoded API Key: Hardcoded API key found in source code.SEC014
SSL Verification Disabled
deeptutor/core/agentic/client.py:64
· conf 1.00
[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.SEC014
SSL Verification Disabled
deeptutor/services/llm/openai_http_client.py:42
· conf 1.00
[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.SEC014
SSL Verification Disabled
deeptutor/services/llm/provider_core/openai_codex_provider.py:86
· conf 1.00
[SEC014] SSL Verification Disabled: SSL certificate verification is disabled, allowing man-in-the-middle attacks.SEC015
Insecure Randomness for Security
deeptutor/agents/chat/session_manager.py:94
· conf 1.00
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC015
Insecure Randomness for Security
deeptutor/services/auth.py:196
· conf 1.00
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC015
Insecure Randomness for Security
deeptutor/services/llm/providers/routing.py:38
· conf 1.00
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC017
Unbounded Input to LLM/External API
deeptutor/book/agents/ideation_agent.py:51
· conf 0.80
[SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external AI API (OpenAI, Anthropic, etc.) without any visible length or size validation. This creates two risks: (1) Co…SEC017
Unbounded Input to LLM/External API
deeptutor/co_writer/edit_agent.py:183
· conf 0.80
[SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external AI API (OpenAI, Anthropic, etc.) without any visible length or size validation. This creates two risks: (1) Co…SEC017
Unbounded Input to LLM/External API
deeptutor/services/llm/provider_core/azure_openai_provider.py:105
· conf 0.80
[SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external AI API (OpenAI, Anthropic, etc.) without any visible length or size validation. This creates two risks: (1) Co…SEC034
Log Injection / Log Forging — unsanitized user input in log
deeptutor/services/search/__init__.py:138
· conf 1.00
[SEC034] Log Injection / Log Forging — unsanitized user input in log: User input is logged without sanitizing newlines or control characters. Attackers inject `\n` to forge fake log entries, hide tra…SEC136
AI-typical over-broad exception handler swallowing all errors
deeptutor/co_writer/edit_agent.py:44
· conf 1.00
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…SEC136
AI-typical over-broad exception handler swallowing all errors
deeptutor/multi_user/skill_access.py:55
· conf 1.00
[SEC136] AI-typical over-broad exception handler swallowing all errors: Catch-all exception block that silently returns success or no-ops. AI agents reach for this pattern when a flaky test or an unf…SEC139
AI-generated migration/route without companion test file
deeptutor/multi_user/router.py:144
· conf 1.00
[SEC139] AI-generated migration/route without companion test file: Route or migration touching auth, admin, users, payments, or webhooks — exactly the surfaces that need tests — with no companion tes…WEB003
Public web service has no security.txt
.well-known/security.txt
· conf 0.78
Public web service has no security.txtAIC003
Duplicated implementation block across source files
deeptutor/agents/math_animator/agents/visual_review_agent.py:59
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
deeptutor/agents/visualize/utils.py:2
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
deeptutor/book/agents/spine_synthesizer.py:229
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
deeptutor/book/blocks/interactive.py:37
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
deeptutor/capabilities/math_animator.py:428
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
deeptutor/capabilities/visualize.py:290
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
deeptutor/capabilities/visualize.py:581
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
deeptutor/co_writer/storage.py:38
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
deeptutor/knowledge/initializer.py:251
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
deeptutor/services/embedding/adapters/openai_sdk.py:24
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
deeptutor/services/llm/provider_core/azure_openai_provider.py:115
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
deeptutor/services/llm/provider_core/base.py:189
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
deeptutor/services/llm/provider_core/github_copilot_provider.py:172
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
deeptutor/services/llm/provider_core/openai_codex_provider.py:96
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
deeptutor/services/llm/provider_core/openai_compat_provider.py:621
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
deeptutor/services/memory/consolidator/modes/merge.py:155
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
deeptutor/services/memory/consolidator/modes/update.py:30
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
deeptutor/services/memory/consolidator/runs.py:314
· conf 0.86
Duplicated implementation block across source filesAIC003
Duplicated implementation block across source files
deeptutor/services/model_selection/runtime.py:10
· conf 0.86
Duplicated implementation block across source filesAUC005
[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.
[AUC005] No authorization-focused tests detected: No test files with common authorization, ownership, 403, admin, or super_admin assertions were found.COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
deeptutor/agents/auto/schemas.py:69
· conf 0.95
[COMP001] High cognitive complexity: Function `build_capability_tool_schemas` has cognitive complexity 8 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to und…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
deeptutor/agents/auto/schemas.py:99
· conf 0.95
[COMP001] High cognitive complexity: Function `build_atomic_tool_schemas` has cognitive complexity 14 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to unders…COMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
deeptutor/agents/math_animator/duration_utils.py:17
· conf 0.95
[COMP001] High cognitive complexity: Function `parse_target_duration_seconds` has cognitive complexity 11 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to un…DKR012
Dockerfile keeps pip download cache
Dockerfile:97
· conf 0.72
Dockerfile keeps pip download cacheCOMP001
[COMP001] High cognitive complexity: Function `load_yfinance_data` has cognitive complexity 9 (SonarSource scale). Cognitive complexity measures how hard the function is for a human to understand — nested branches, boolean chains, and recursion all weigh in. Breakdown: except=1, for=1, if=2, nested_bonus=3, or=2.
[COMP001] High cognitive complexity (and 142 more): Same pattern found in 142 additional files. Review if needed.ERR001
[ERR001] Silent Exception Swallowing (and 2 more): Same pattern found in 2 additional files. Review if needed.
[ERR001] Silent Exception Swallowing (and 5 more): Same pattern found in 5 additional files. Review if needed.MINED001
Bare Except Pass
CWE-755
[MINED001] Bare Except Pass (and 19 more): Same pattern found in 19 additional files. Review if needed.MINED014
Disabled Tls Verify
CWE-295
[MINED014] Disabled Tls Verify (and 1 more): Same pattern found in 1 additional files. Review if needed.MINED014
Disabled Tls Verify
CWE-295
deeptutor/core/agentic/client.py:64
· conf 0.10
[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go.MINED014
Disabled Tls Verify
CWE-295
deeptutor/services/llm/openai_http_client.py:42
· conf 0.10
[MINED014] Disabled Tls Verify: verify=False in requests, rejectUnauthorized:false in node, InsecureSkipVerify:true in Go.MINED043
Http Not Https
CWE-319
deeptutor/services/config/embedding_endpoint.py:61
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
deeptutor/services/config/origins.py:36
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED043
Http Not Https
CWE-319
deeptutor/services/llm/utils.py:121
· conf 1.00
[MINED043] Http Not Https: Hardcoded http:// (not localhost) for endpoints that handle credentials or data.MINED049
Print Pii
CWE-532
deeptutor/services/auth.py:11
· conf 1.00
[MINED049] Print Pii: Logging password/token/email/ssn directly to stdout.MINED050
Stub Only Function
CWE-1188
[MINED050] Stub Only Function (and 29 more): Same pattern found in 29 additional files. Review if needed.MINED050
Stub Only Function
CWE-1188
deeptutor/agents/__init__.py:20
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
deeptutor/agents/research/utils/json_utils.py:31
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED050
Stub Only Function
CWE-1188
deeptutor/api/routers/chat.py:243
· conf 1.00
[MINED050] Stub Only Function: Function declared but body is just pass, return None, raise NotImplementedError, or TODO comment.MINED062
Python Dataclass No Fields
[MINED062] Python Dataclass No Fields (and 19 more): Same pattern found in 19 additional files. Review if needed.MINED062
Python Dataclass No Fields
deeptutor/agents/_shared/tool_composition.py:65
· conf 1.00
[MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.MINED062
Python Dataclass No Fields
deeptutor/agents/vision_solver/models.py:255
· conf 1.00
[MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.MINED062
Python Dataclass No Fields
deeptutor/app/facade.py:15
· conf 1.00
[MINED062] Python Dataclass No Fields: @dataclass over an empty class — unfinished model.MINED072
Python Pass Only Class
CWE-1188
deeptutor/services/llm/exceptions.py:139
· conf 1.00
[MINED072] Python Pass Only Class: class Foo: pass — stub waiting to be filled in.SEC014
SSL Verification Disabled
[SEC014] SSL Verification Disabled (and 1 more): Same pattern found in 1 additional files. Review if needed.SEC020
Secret Printed to Logs
[SEC020] Secret Printed to Logs (and 2 more): Same pattern found in 2 additional files. Review if needed.SEC020
Secret Printed to Logs
deeptutor/multi_user/identity.py:121
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
deeptutor/services/llm/client.py:54
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
deeptutor/services/llm/config.py:65
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC029
Server-Side Request Forgery (SSRF) — outbound HTTP from user input
[SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input (and 3 more): Same pattern found in 3 additional files. Review if needed.SEC128
Async function without await — fire-and-forget Promise (AI mistake)
[SEC128] Async function without await — fire-and-forget Promise (AI mistake) (and 6 more): Same pattern found in 6 additional files. Review if needed.SEC135
Auth/permission check missing on AI-generated endpoint
[SEC135] Auth/permission check missing on AI-generated endpoint (and 6 more): Same pattern found in 6 additional files. Review if needed.Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/e6787ecc-a4cd-42f5-bd0d-ed4c112ba8ec/.