https://github.com/decolua/9router.git ·
lang: javascript ·
LOC: ·
source: corpus_mined
| Rule | Severity | Count |
|---|---|---|
SEC020 Secret Printed to Logs |
high | 4 |
SEC015 Insecure Randomness for Security |
medium | 4 |
SEC017 Unbounded Input to LLM/External API |
medium | 2 |
SEC016 LLM Prompt Injection — User Input in AI Prompt |
high | 2 |
SEC001 Hardcoded Password |
critical | 1 |
SEC010 Cloud Provider Token |
critical | 1 |
SEC016
LLM Prompt Injection — User Input in AI Prompt
open-sse/translator/request/openai-to-kiro.old.js:47
· conf 0.90
[SEC016] LLM Prompt Injection — User Input in AI Prompt: User-supplied text is interpolated directly into an AI/LLM prompt (e.g. OpenAI, Anthropic, or local model). This is the AI equivalent of SQL i…SEC016
LLM Prompt Injection — User Input in AI Prompt
src/shared/constants/providers.js:22
· conf 0.90
[SEC016] LLM Prompt Injection — User Input in AI Prompt: User-supplied text is interpolated directly into an AI/LLM prompt (e.g. OpenAI, Anthropic, or local model). This is the AI equivalent of SQL i…SEC020
Secret Printed to Logs
open-sse/executors/default.js:250
· conf 0.85
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC020
Secret Printed to Logs
src/app/(dashboard)/dashboard/providers/components/ConnectionsCard.js:393
· conf 0.85
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…SEC001
Hardcoded Password
cli/src/cli/menus/settings.js:19
· conf 0.30
[SEC001] Hardcoded Password: Hardcoded password found in source code.SEC017
Unbounded Input to LLM/External API
open-sse/translator/request/openai-to-kiro.old.js:47
· conf 0.80
[SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external AI API (OpenAI, Anthropic, etc.) without any visible length or size validation. This creates two risks: (1) Co…SEC017
Unbounded Input to LLM/External API
src/shared/constants/providers.js:22
· conf 0.80
[SEC017] Unbounded Input to LLM/External API: User input is passed to an LLM or external AI API (OpenAI, Anthropic, etc.) without any visible length or size validation. This creates two risks: (1) Co…SEC010
Cloud Provider Token
src/shared/components/GitLabAuthModal.js:172
· conf 0.10
[SEC010] Cloud Provider Token: Cloud provider or SaaS API token found in source code.SEC015
Insecure Randomness for Security
[SEC015] Insecure Randomness for Security (and 13 more): Same pattern found in 13 additional files. Review if needed.SEC015
Insecure Randomness for Security
open-sse/services/provider.js:274
· conf 0.25
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC015
Insecure Randomness for Security
open-sse/transformer/responsesTransformer.js:18
· conf 0.25
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC015
Insecure Randomness for Security
open-sse/transformer/streamToJsonConverter.js:96
· conf 0.25
[SEC015] Insecure Randomness for Security: Weak PRNG used in security-sensitive context. Output is predictable.SEC020
Secret Printed to Logs
[SEC020] Secret Printed to Logs (and 6 more): Same pattern found in 6 additional files. Review if needed.SEC020
Secret Printed to Logs
cli/src/cli/menus/providers.js:489
· conf 0.15
[SEC020] Secret Printed to Logs: Debug or diagnostic code appears to print a credential-bearing value. This is a frequent AI-assisted coding failure: the helper exposes the exact value needed for tro…Reading from rp.scan + rp.finding + rp.rule (unified schema, R78 series). Legacy data path unchanged. Compare with /scan/fb811aad-fc49-4087-bb48-3134cdaad42a/.