Directly printing exception messages to the console can reveal internal details; prefer logging them and showing user‑friendly messages
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Move quota.consume() into a finally block to ensure quota is deducted even if an unexpected exception occurs after analysis.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Add a timeout parameter to LLMManager.analyze_chunks to prevent indefinite blocking on external LLM API calls
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Validate ollama_base_url obtained from settings to ensure it is a well‑formed URL and does not contain malicious content
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Replace broad 'except Exception' with more specific exception types to avoid masking unrelated errors
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Add an entry for "ollama" in ENV_API_KEYS to allow API key configuration for the Ollama provider
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Consider using immutable tuples for constant sequences (e.g., ILLUSION_LEVELS_ORDERED) to prevent accidental modification at runtime
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Document or guard get_base_path() because the frozen and unfrozen branches return different base paths; a change in project layout could break the unfrozen path resolution.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Path traversal protection in _collect_selected_files uses os.path.commonpath on string paths; replace with pathlib's is_relative_to for clearer and safer checks.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Avoid repeated encoding of each line to compute byte size; cache the byte length or use len(line) for ASCII‑only content to improve performance
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Consider using a single dict comprehension or factory function to build CoverageMap entries, reducing nested loops and improving readability.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Add explicit return statement at end of compute_rule_trace for clarity (return trace, level)
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Replace raw string constants for levels and outcomes with Enum types for better type safety and maintainability
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Validate that final_level and final_decision are non‑empty strings before building the proof bundle to avoid creating invalid proofs
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Replace magic numbers 0.35, 0.45, and 0.1 with named constants for readability
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Add docstrings to private methods (_detect_logic_hotspots, _calculate_score) to improve maintainability
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Recalculates confidence variable twice; the first calculation is redundant
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Validate that the provided project_path exists and is a directory to avoid errors later.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Use subprocess.run with check=True and handle CalledProcessError for clearer error handling instead of manually checking returncode.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Add explicit type annotation for output_dir (e.g., Union[str, Path]) and consider using pathlib.Path for consistency
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
The _glob_match function recompiles a regular expression on every call for patterns containing '**'. Caching the compiled regex could improve performance.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Log message in guard_truncation contains a typo "fence+backet"; correct to "fence+bracket" for clarity
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Use a context manager (with open(...)) when reading prompt files instead of Path.read_text to better handle file I/O errors and encoding issues.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
_record_to_dict stores a "_chain_version" field but _dict_to_record never validates that the stored version matches CHAIN_VERSION, risking silent incompatibility
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
The canonical block representation rounds timestamps to three decimals, which can cause hash collisions for scans that occur within the same millisecond; consider using full precision
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
load_chain reads the entire chain file into memory with read_text(); for large audit histories this can be memory‑intensive – switch to iterative line-by-line reading
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
record_scan_to_chain should validate that numeric fields (score, critical_count, high_count, issue_count) are within expected ranges before storing them.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
When saving settings, ensure the resulting file permissions restrict access to the owner to protect stored secrets.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Sanitize or validate the user-provided 'intent' string before embedding it in the prompt to reduce the risk of prompt injection attacks.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Preserve the original trailing newline when returning sanitized content; currently "\n" is lost after "\n".join(sanitized_lines).
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
has_injection_risk discards the optional file_path argument, causing warnings to lack context; consider passing file_path to sanitize_code_content for consistent warning messages.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Consider using a tuple for ProviderPlan fields that never change to emphasize immutability
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Add a docstring to build_provider_plan to clarify its behavior and edge cases
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Document that a 'custom' profile returns the enabled providers list without any reordering
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
When load_history detects a corrupted JSON file, it returns an empty list but leaves the corrupted file on disk, causing repeated warnings on each run. Consider deleting or archiving the corrupted file.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
save_history uses a static temporary filename (".tmp") which could clash if multiple processes write to the same history file simultaneously. Use a unique temporary filename (e.g., via tempfile.NamedTemporaryFile) to avoid race conditions.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Timestamp parsing uses hard‑coded length and slicing; consider using datetime parsing for robustness
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Apply html.escape (or a templating engine) to any user‑controlled strings before inserting them into generated HTML to mitigate XSS risks
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Consistently escape all dynamic values inserted into the HTML (e.g., score_desc, reliability_label, reliability_guidance) to prevent injection attacks
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Use deterministic JSON serialization (e.g., sort_keys=True) when generating fallback fingerprint to ensure consistent deduplication across runs
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Move the import of _stable_issue_id out of the per-issue loop to avoid repeated imports and improve performance
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Consider using an atomic file write (e.g., write to a temporary file then rename) or file locking when saving suppressions to avoid partial writes or race conditions.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Add logging for subprocess failures in get_gpu_info to aid debugging
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Log a warning when psutil is not installed in get_total_ram_gb to improve observability
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Add an explicit type annotation for the DARK constant (e.g., DARK: Dict[str, str] = {...}) for consistency with LIGHT
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Consider making the theme palettes immutable (e.g., using MappingProxyType) to prevent unintended runtime modifications
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Implement a parameter or configuration mechanism for palette() to return either DARK or LIGHT based on application settings
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Add validation to ensure confidence_basis values are within _VALID_CONFIDENCE_BASIS when constructing issue objects
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Progress calculation in on_progress uses the per‑file 'total' argument multiplied by number of providers, which can misrepresent overall progress when scanning multiple files; consider using the total number of chunks across all files (* len(active)) calculated once outside the callback
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Use pathlib's Path.open() and set file mode 0o600 when writing the license cache to ensure proper permission handling
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Catch specific exceptions in _verify_gumroad instead of a broad Exception to avoid masking unexpected errors
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Replace generic 'dict' type hints with concrete typing (e.g., Dict[str, Any]) for clearer static analysis and maintainability
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Import tkinter.filedialog at module level instead of inside _browse to avoid repeated imports on each call.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
In _validate_key, uses 'text_color' keyword for status label which may be incorrect for customtkinter; verify the correct property name (e.g., 'fg_color') to ensure the label updates as intended.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Add a type hint for the 'window' parameter (e.g., CTk) to improve clarity and enable static analysis.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Hardcoded height value (72) for the topbar; consider using a named constant or configurable parameter.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Button text reads "⚠ Add API Key" but its command opens settings; the label may mislead users about the action performed.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Multiple UI elements use hardcoded padding, width, and height values; extracting these into constants would improve maintainability.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Clean exit shuts down UI but does not explicitly wait for background analysis threads; consider joining non‑daemon threads to ensure graceful shutdown.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
In _svc_output_formats the fallback uses settings key "output_format" but the intended key is likely "output_formats"; this could return an unexpected value.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Replace the custom _log method's inner function with a direct call to self._log_box methods inside after to avoid the extra closure overhead and improve readability.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Add explicit type hints for the 'parent' and 'settings' parameters in show_welcome_modal for better readability and static analysis
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Add explicit type hints for function parameters and return types (e.g., render_conflict_heatmap, render_verdict_banner) to improve maintainability
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Replace hard‑coded provider ID tuple in build_optimizer_tab with iteration over PROVIDER_BENCHMARKS keys to keep the UI in sync with available providers.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
When include_provider_health is True, export_diagnostics includes the raw api_key_health dict which may contain actual API keys; consider redacting or hashing the keys before adding to the payload
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Exporting diagnostics writes directly to the target file; to avoid race conditions or partial writes, write to a temporary file and rename atomically
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
provider_health_snapshot passes an empty string for providers that do not require a key; clarify this behavior in documentation or rename variable to reflect that no key is used
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Default provider selection checkboxes always initialize to True; they should reflect saved settings to avoid unexpected defaults.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Wrap calls to self._on_save() in try/except to prevent unhandled exceptions from stopping the UI closure
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Recompute the prefixes dictionary once (e.g., as a class attribute) instead of rebuilding it on each _provider_key_status call for efficiency
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Log exception details in _export_diagnostics when export fails for better debugging
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Monkey-patching tempfile.TemporaryDirectory globally may affect other imports; consider limiting scope or using a fixture
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Consider adding a return type annotation to 'is_pro' to improve clarity (e.g., -> bool).
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Method 'output_formats' accesses settings key 'output_format' while the method name suggests plural; verify consistency with settings schema.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Method 'set_last_folder' accepts a string path; accepting a pathlib.Path object would be more flexible and type‑safe.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Add a class docstring to MainWindowServices to describe its responsibilities and usage.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Use a context manager or atomic write when saving JSON output to avoid partial file writes on failure
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Add a guard to ensure meta_issues is non‑empty before accessing meta_issues[0] to avoid potential IndexError if _run returns an empty list
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Add required imports (tempfile, pathlib.Path, pytest) at the top of the test file to ensure all tests run correctly
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
The quota.consume() method is called unconditionally after `execute_analysis_pipeline` completes, unless an exception is raised. If `execute_analysis_pipeline` can return a `result` indicating an analysis that should not consume quota (e.g., partial success, early exit due to invalid input not raising an exception), this could lead to incorrect quota usage or billing.
Detected by: ✓ gemini ×0.9 1/3 provider(s) agreed
The `tests_count` variable is initially populated by a scan of the entire project, then potentially overwritten to `1` by `max(tests_count, 1)` if any collected file is identified as a test file. This makes `tests_count` inconsistent: sometimes it's an actual count (from `_scan_project_signals`), and other times it's a boolean 'has tests' flag (effectively 0 or 1), which conflicts with its name.
Detected by: ✓ gemini ×0.9 1/3 provider(s) agreed
Recursive function with external API call is not present but there are several function calls with potential for recursive calls
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Database connection is not explicitly closed but it is handled by the QuotaManager class
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Unused 'lambda' function for 'update_progress' and 'update_intelligence'
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Long methods and complex logic in main function, consider refactoring for better maintainability
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Unused imports and variables, consider removing for better code quality
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Duplicate code detected
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The code has a large number of magic strings and hardcoded values, which could make it difficult to maintain and update.
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The except block for the ArbiterEngine failure is too broad and may mask other important exceptions.
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Unused import 'logger'
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Deep nesting in 'if comparison' block
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Duplicate code in 'build_output_context' function calls
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Recursive function calls may lead to stack overflow
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Complexity of SettingsManager class may make it difficult to maintain
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Magic number (30) used in LOOKAHEAD variable
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Hardcoded prefixes in _BOUNDARY_PREFIXES tuple
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Long method in MetaEngine class
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Magic number 0 used as default value for chunk_index
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Nested dictionary access without error handling
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Deeply nested conditional statements in RuleTrace evaluation
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Long method (compute_signal_vector) with complex logic
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Complex function build_proof_bundle with many parameters
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Deeply nested function calls
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Magic string 'R10_no_signal' in compute_rule_trace
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Magic number: cap at 10 conflicts may need to be adjusted in the future
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Magic number: confidence calculation may need to be adjusted in the future
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Magic number: score calculations may need to be adjusted in the future
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Missing type hint for logger
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Magic number used in _score_group method
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Unused import
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The order dictionary is defined with magic numbers, it would be better to use named constants.
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The compare method in the DiffEngine class is complex and has many nested loops, which could be simplified for better readability
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The `_run_git` function has a complex logic and it would be better to split it into smaller functions for better readability and maintainability.
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Recursive function calls are not detected in the given code
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
External API calls are not explicitly handled in the code
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The confidence_to_severity function has a complex logic and should be refactored for readability
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Deep nesting in build_conflict_map_from_arbiter function
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Magic number (20) used in MAX_HEADER_FILES constant
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Recursive function call is not present but potential deep recursion can occur if the input file has many lines and complex rules
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The method load can potentially throw an exception if the file does not exist or cannot be parsed, consider adding a try-except block for specific exceptions
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential performance issue with the should_ignore_issue_like method if there are many rules and items to filter
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Duplicate code in 'call_claude' and 'call_gpt' functions
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Magic number: `45` and `15` are used in the code without clear explanation
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
God object: `LLMManager` class has many responsibilities and attributes
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The _prompt_cache dictionary is not properly synchronized, which could lead to data corruption in a multi-threaded environment.
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Function chain_summary has multiple return paths
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Creating a temporary probe file in _init_quota can cause a race condition when multiple instances start at the same time, potentially raising OSError
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
Calling args.format.split() without checking if args.format is None may raise AttributeError when the user omits the --format option.
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
tests_count is set using max(tests_count, 1) for each entry, which resets the count to 1 instead of incrementing, leading to inaccurate test detection.
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
The check for 'express()' in _looks_like_entrypoint is case‑sensitive, while other framework detections use lower‑cased content; this may miss matches like 'Express()'
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
Stack label inference compares language strings to capitalised names (e.g., "Python") but entry.language may be stored in lowercase, causing incorrect labeling of projects
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
build_score_reliability_context uses getattr(report, "requested_llms", report.total_llms) which will raise AttributeError if report.total_llms is missing; fallback should use getattr on report for total_llms as well
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
_save uses Path.replace for atomic rename, which is not reliably atomic on Windows and can raise PermissionError if the target file exists; consider using os.replace with proper error handling.
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
_vote_states never assigns a 'partial' VoteStatus, so providers that should be marked as partial are incorrectly treated as 'full' or 'absent', breaking agreement calculations
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
Conflict signal uses '>' threshold but the documented threshold is 0.3 inclusive; should use '>=' to match specification
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
compute_rule_trace may return an empty final_level string when no rule matches, leading to undefined downstream handling; should default to 'routine'
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
Confidence calculation can exceed 1.0 because 0.45 + 0.1*severity_spread may be >1; should clamp to 1.0
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
Logic condition `if critical_issues and len(issues) <= 2:` seems inverted; likely should be `len(issues) >= 2` to apply soft floor when many issues exist
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
Mutates input issue dictionaries by adding a '_provider' key, causing side effects on callers
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
_same_issue returns False when either issue description is empty, causing identical issues without descriptions to be incorrectly classified as new or fixed
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
In _resolve_prompt, only OSError is caught when reading prompt files; UnicodeDecodeError or other exceptions could propagate and crash the application.
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
normalize_issue_type replaces spaces with underscores but does not normalize hyphens or other separators, so inputs like "code-smell" will not be mapped correctly.
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
When parsing a "file:" rule, both type and severity can be present, but the code only handles one of them (type first, else severity). This can cause the severity part to be ignored.
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
If a "file:" line has neither type nor severity, the code adds a rule with kind "path" instead of a dedicated "file" kind, which is likely unintended and may affect rule matching logic.
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
load_chain silently swallows JSONDecodeError and other exceptions, returning a partially loaded chain without any indication of corruption
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
Block-level hidden Unicode patterns are removed without inserting a visible marker, violating the design rule "Never silently drop content — always replace with a visible marker".
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
Potential KeyError if SCAN_MODES entry for given scan_mode lacks the 'max_llms' key
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
If enabled_providers contains duplicate entries, prioritized_providers may return duplicate providers, leading to unexpected ordering
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
find_previous_entry sorts timestamps as plain strings, which may misorder entries if the timestamp format is not ISO‑lexicographically comparable.
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
_atomic_write does not ensure that the parent directory of the quota file exists, potentially raising an OSError and preventing the quota from being persisted.
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
Conditional check uses 'and' causing function to proceed when only one of profile or summary is missing, potentially leading to missing keys errors
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
Assumes classify_provider_error returns a dict with 'short_label' key; missing key would raise a KeyError
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
Walrus expression in debug_block always evaluates to truthy, making the else branch unreachable and unnecessary
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
Button with onclick="openWhy()" references undefined JavaScript function, causing a runtime error when the user clicks the 'How is this score calculated?' button
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
Appends a run object even when new_results is empty, resulting in empty runs in the merged SARIF output
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
_model_size_gb is annotated to return int but returns float values, causing type inconsistency
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
Comment lists five free providers (gemini, groq, cerebras, openrouter, ollama) but FREE_PROVIDERS list only includes three, causing the recommendation to ignore two available providers.
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
Using getattr with default report.total_llms evaluates report.total_llms even when the attribute may be missing, causing AttributeError if report lacks total_llms
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
Assumes 'status' is a string; if None, status.startswith will raise AttributeError
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
ai_indicator_state returns a low‑priority color for exactly two ready providers, which is likely unintended (should probably use a medium priority color)
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
Uses value.startswith(prefixes) where prefixes may be a list, causing TypeError; ensure prefixes is a tuple or convert to tuple before calling startswith.
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
ApiKeyEntry references undefined method _toggle_show invoked by toggle button, causing AttributeError on click
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
ApiKeyEntry context menu commands reference undefined methods _copy and _clear, leading to AttributeError when used
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
ApiKeyEntry calls _validate_key method but it is not defined in this snippet, potentially causing AttributeError
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
inline_svg adds width/height attributes without checking if they already exist, potentially resulting in duplicate attributes and malformed SVG.
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
Assumes 'window' has a '_settings' attribute; if missing an AttributeError will be raised.
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
open_browser_path uses success_message.format(name=target.name) without guarding against missing placeholder, which can raise a KeyError and crash the UI
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
Missing validation that 'selected_folder' is a valid directory path; non‑existent paths could cause downstream failures.
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
Assumes each observation object has a .line attribute; may cause AttributeError or incorrect logic if structure differs
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
Logic in test_consensus_observations_populated allows issues to pass if they meet a secondary condition, contradicting the docstring that solo low issues should never appear as issues
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
test_reporter_html_quota_failure asserts that "No issues detected" is not in the generated HTML, but a quota failure may still result in that phrase being present, making the test flaky
Detected by: ✓ cerebras ×0.9 1/3 provider(s) agreed
Consider implementing retry mechanism for API calls to handle potential network issues
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider adding a timeout for the 'execute_analysis_pipeline' function call
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider adding retry logic for timeout and connection errors in API calls
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider adding logging and monitoring for better error tracking and debugging
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider using a try-except block to handle potential environment variable setting errors
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Path construction could be more robust, consider using os.path.join instead of the / operator
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider using a more secure method to store API keys, such as environment variables or a secure key management system.
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider using defaultdict for initializing counts dictionary
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider using a more efficient data structure for storing chunk boundaries
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider adding documentation for _chunk_files and _split_lines methods
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider using type hints for function return types
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider using a more efficient data structure for _CATEGORY_GROUPS
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider using defaultdict for coverage dictionary
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider adding input validation for function parameters
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider adding docstrings for complex functions
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider using a more robust sorting algorithm for hotspots
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider using a more efficient data structure for storing issues
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider adding more logging statements for debugging purposes
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The MetaIssue_cls could be defined as a dataclass to improve readability and maintainability.
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The _action_map dictionary could be replaced with a match statement to improve readability.
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider adding a timeout to the SequenceMatcher ratio calculation to prevent potential performance issues
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider using a more efficient data structure than lists for the new, fixed, unchanged, worsened, and improved items
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The `last_commit_summary` function does not handle the case when there are no commits in the repository.
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider adding error handling for the SequenceMatcher ratio method
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider adding a timeout for the best_description function to prevent potential performance issues
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The function names share_domain_keyword and lines_close could be more descriptive
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider adding error handling for load_history function call
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider adding logging statements for exception handling in build_conflict_map_for_run
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider using a context manager for the file operation in load method
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider adding input validation for the project_root parameter in the load method
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider using a more robust HTTP client library
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The classify_provider_error() function has a complex set of conditions, which could be simplified for better maintainability.
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider using a try-except block for potentially error-prone operations like time.strftime
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider adding input validation for the chain and record parameters in the append_record function
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider adding a check to handle the case where the chain is empty before verifying it
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider adding error handling for the case where the report_content or sarif_content is not a valid JSON string
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider adding a check to ensure that the record_scan_to_chain function is called with the correct parameters
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider adding a check to handle the case where the IPFS upload fails
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider adding a check to handle the case where the EVM contract call fails
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Consider adding a check to handle the case where the project_path_str is not a valid string
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
RotatingFileHandler may fail if the parent directory of the log file does not exist; ensure the directory is created before adding the handler
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Console logger is configured at INFO level, which may expose sensitive information in production; consider using WARNING or higher
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Duplicate 'key' and 'status' fields in provider row dict for non-ollama providers, both set to the same value
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Using an empty string ('') as a sentinel value for disabling the illusion gate makes the control flow harder to understand and maintain.
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Mutable module-level dictionaries (e.g., LLM_PROVIDERS, PROVIDER_SETUP, PROVIDER_BENCHMARKS) can be modified at runtime, potentially causing unintended side‑effects across imports.
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Dataclass AnalysisPipelineResult uses mutable default values (List, Dict) set to None; consider using default_factory for proper immutability
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Inconsistent use of logging helpers: 'log' is used throughout, but 'logger.warning' is used in the SARIF v2 fallback block
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Imported 'ReportOutputContext' in the SARIF v2 generation block but never used, leading to unnecessary import
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Magic number 20 is used to filter out short/minified files (len(content.strip()) < 20). This should be a configurable constant.
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
The docstring of _split_lines says "Yield" but the method returns a list, which is misleading and could cause confusion for maintainers
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Potential KeyError: provider_seen may not have key pid when accessing provider_seen[pid].setdefault; ensure provider_seen is a defaultdict or initialize an empty dict for each pid before use.
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
ProofBundle mentions a seal() method but it is not implemented, risking misuse of mutable state
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
summarize_proof prints Python list objects for signals and rule IDs; joining them into strings would improve readability
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Hard‑coded limit of 10 conflicts may hide additional disagreements; consider making the limit configurable
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Repeated use of inline lambda functions for sorting could be replaced with named functions for clarity
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Redundant assignment to report.total_llms before and after effective_providers calculation, which may cause confusion
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
compare method uses a nested loop with O(n^2) complexity; performance will degrade on large issue lists and could be optimized with hash‑based matching
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
_filter_supported builds a list manually; can be expressed more concisely with a list comprehension for readability.
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
confidence_to_severity caps severity index to 2, preventing a 'critical' raw_severity from being returned even when confidence is high enough, which may understate severity.
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Broad except clause catches all exceptions and silently returns empty dict, which can mask errors
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
call_ollama creates an httpx.Client without using a context manager, so the underlying connection pool may remain open after the request
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
resolve_max_tokens silently defaults to a fixed value when an unknown scan_mode is provided, which may hide configuration errors
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Catching only OSError when reading prompt files is a code smell; a broader exception handling (e.g., Exception) would be safer and more maintainable.
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
The _TYPED_PROMPT_FILES dictionary contains placeholder entries for prompts that may not exist (e.g., architecture_guard, speed_reviewer, smell_detector), leading to unnecessary filesystem checks.
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
ScanChain._lock is defined but never used anywhere in the module, indicating dead code or missing thread‑safety when mutating the chain
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
append_record rewrites the entire chain file on each append, leading to O(n) disk I/O and potential performance degradation as the chain grows.
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
normalize_provider_profile is called twice for the same profile, causing redundant computation
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
load_history reads the entire history file into memory without any size guard; a very large or corrupted file could cause high memory usage.
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Uses deprecated hmac.new() API instead of the modern hmac.HMAC() constructor.
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Potential race condition: concurrent calls to consume() can interleave, leading to lost updates of the usage counter because _record is mutated without any locking.
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Coverage line string is inserted into HTML without escaping, inconsistent with other fields
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Heavy use of inline f‑strings for HTML assembly reduces readability; a templating approach would be clearer
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
_SEV_COLOR dictionary is defined but never used anywhere in the module
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Conditional `line_str = f":"{issue.line}` uses a falsy check, so a line number of 0 will be omitted, potentially hiding valid issue locations.
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Large inline f-string HTML makes the function difficult to read and maintain; consider extracting the markup to a dedicated template or using a templating engine
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Loads entire SARIF file into memory with Path.read_text, which may cause high memory usage for large files
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Linking all CWE taxon IDs to each rule (potentially large N^2 relationship) can cause SARIF document bloat; consider limiting relationships per rule
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Unused import 'json' in _list_local_ollama_models
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
The DARK and LIGHT dictionaries are mutable globals and are returned directly, allowing external code to accidentally modify the theme constants at runtime
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Unused constant _VALID_CONFIDENCE_BASIS is defined but never used
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Importing sha256 inside machine_fingerprint function instead of top-level import increases overhead
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Unused variable 'started' is assigned but never used in execute_analysis_pipeline
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
The 'settings' parameter in execute_analysis_pipeline lacks a specific type hint, making the API less clear; add a proper SettingsManager type annotation
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
In build_local_provider_benchmarks, the variable 'attempts' is already forced to be at least 1, so the extra max(1, attempts) when computing avg_chunk is redundant
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Using datetime.now() creates naive timestamps; consider using timezone-aware UTC timestamps to avoid ambiguity across time zones
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Repeated computation of machine fingerprint and secret could be cached to avoid unnecessary hashing on each call
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Catches generic Exception, which can mask unexpected errors
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Importing os inside workspace_display_name adds unnecessary overhead; the import should be moved to module level
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Catches generic Exception in _copy, which can mask unrelated errors; should catch only expected exceptions.
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Duplicate except blocks for tk.TclError and generic Exception both log the same message; can be consolidated into a single block.
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Directly accessing private attribute self._entry._entry breaks encapsulation and may break with future customtkinter versions
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Missing docstring for the 'build_layout' function; adding a docstring would improve maintainability and documentation.
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Using str.replace to modify the <svg> tag replaces all occurrences, which could unintentionally alter nested <svg> elements or similar substrings.
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Imported constant COLOR_BG is never used in this module.
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Broad except Exception blocks (e.g., icon loading, intent handling) swallow all errors, making debugging harder.
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Repeated calls to MainWindow._svc(self) in each helper method cause unnecessary overhead; consider caching the service instance in a local variable.
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Repeated pattern of calling open_browser_path followed by immediate return appears in open_report and open_last_html_report; consider extracting a helper to reduce duplication
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Repeated creation of CTkLabel widgets inside loops (render_conflict_heatmap and render_verdict_banner) may lead to performance degradation with many items; consider using a virtualized list or limiting rendered items
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Magic string fallback "#aaa" for unknown severity colors in render_conflict_heatmap is unclear; define a constant or handle unknown severities explicitly
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Repeated pattern of creating a CTkFrame and adding two CTkLabel widgets for each card; consider extracting a helper function to reduce duplication and improve maintainability.
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Multiple functions catch generic Exception (quota_text, reset_quota, export_diagnostics) which hides specific errors and makes debugging harder
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
API key entry widgets are packed into the scrollable frame instead of their row container, leading to inconsistent UI layout.
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Catching generic Exception in _paste_license and _copy_machine_fingerprint masks errors; catch specific exceptions instead
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Setting OS-level TMP/TEMP/TMPDIR environment variables globally can unintentionally affect subprocesses; evaluate necessity
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Method name 'selected_llms' shadows the attribute name, which may cause confusion and accidental recursion if an attribute with the same name is added later.
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Hardcoded default LLM list ['claude', 'gpt'] inside 'build_analysis_launch_decision' reduces configurability; consider externalizing to settings.
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Modifying sys.path at runtime can introduce import side‑effects and mask import errors
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Temporary file created for the built-in sample (tempfile.NamedTemporaryFile with delete=False) is never removed, leaving stray files on the filesystem after execution.
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
Hard‑coded timestamp strings (e.g., "20260321_120000") make tests less flexible and may cause failures if the format changes
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
The condition `if probe.exists():` before `probe.unlink()` is redundant. If `probe.touch()` succeeded, `probe.exists()` will always be true. If `probe.touch()` failed, `probe.unlink()` would not be reached, or an exception would already have occurred.
Detected by: ✓ gemini ×0.6 1/3 provider(s) agreed
The error message for a missing app data directory suggests it's 'usually caused by a permissions issue'. While possible, the primary problem is the directory not existing, which could also be due to misconfiguration or accidental deletion, making the 'permissions issue' part potentially misleading.
Detected by: ✓ gemini ×0.6 1/3 provider(s) agreed
The logic for parsing and defaulting `args.fail_on_illusion` is convoluted. An empty string (`""`) provided by the user is explicitly set to "medium" (line 450), while a missing argument (`None`) becomes an empty string, which is then interpreted as "disabled" (line 457). This asymmetry and complex handling can be confusing for users and lead to unexpected behavior.
Detected by: ✓ gemini ×0.6 1/3 provider(s) agreed
Redundant `import os` inside `resolve_api_keys`. The `os` module is already imported at the top of the file (line 20).
Detected by: ✓ gemini ×0.6 1/3 provider(s) agreed
The `sys.stdout.reconfigure` call is wrapped in an overly broad `except Exception`. This can silently suppress important errors related to stdout reconfiguration that might indicate environment issues.
Detected by: ✓ gemini ×0.6 1/3 provider(s) agreed
The 'requires_key' attribute is redundantly defined in both the 'LLM_PROVIDERS' and 'PROVIDER_SETUP' dictionaries for each LLM provider. This duplication creates two sources of truth and could lead to inconsistencies if updates are not synchronized.
Detected by: ✓ gemini ×0.6 1/3 provider(s) agreed
Direct instantiation of `SuppressionManager` inside the function reduces testability and flexibility. Consider passing an instance or a factory as a dependency.
Detected by: ✓ gemini ×0.6 1/3 provider(s) agreed
The `variable if variable else None` pattern (e.g., `meta_issues if meta_issues else None`) is verbose and repeated. If downstream functions treat `None` and empty collections equivalently, the variable can be passed directly. If `None` specifically signifies 'no data' while an empty collection signifies 'empty data set', this pattern might be intentional, but it's worth clarifying this intent.
Detected by: ✓ gemini ×0.6 1/3 provider(s) agreed
Add a specific return type hint to `_init_settings` (e.g., `-> SettingsManager`) to match the detail in its docstring and improve type checking.
Detected by: ✓ gemini ×0.6 1/3 provider(s) agreed
The string literal `"1"` used to check the `NEXAVERIFY_SMOKE_CHECK` environment variable could be defined as a named constant for improved readability and maintainability.
Detected by: ✓ gemini ×0.6 1/3 provider(s) agreed
Hardcoded French strings are used in `_classify_provider_error` and `_print_provider_summary`. This limits the application's internationalization capabilities. Consider using a localization framework for user-facing messages.
Detected by: ✓ gemini ×0.6 1/3 provider(s) agreed
The help text for `--fail-on-illusion` is slightly ambiguous regarding its default behavior. It states 'Default when flag present: `medium`', which could be misinterpreted when the flag is not present at all, as the `const` argument only applies when the flag is present without an explicit value.
Detected by: ✓ gemini ×0.6 1/3 provider(s) agreed
Using `datetime.now()` without timezone information can lead to inconsistencies. Consider using `datetime.now(timezone.utc)` or `datetime.utcnow()` for `run_timestamp` to ensure global consistency.
Detected by: ✓ gemini ×0.6 1/3 provider(s) agreed
Potential N+1 query issue in _init_quota function where QuotaManager is instantiated inside a function call
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
No error handling is performed when loading the MainWindow which could lead to unhandled exceptions
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Missing error handling for 'quota.consume()' call
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential 'None' value for 'report.provider_stats' and 'report.failed_providers'
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Missing error handling for quota and rate limiting in resolve_selected_providers function
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential bug with missing validation for --min-occurrences argument
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential edge case: empty lines list in _split_lines method
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The diversity score calculation is not validated for potential division by zero errors.
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The ignore_rules.filter_issue_like calls do not handle potential None values in the report issues, which could lead to AttributeError.
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential division by zero error in 'report.score = engine.calculate_score(report.issues)'
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential issue with 'sarif_v2_active' variable
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential issue with 'output_paths' dictionary
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Uncaught exception during settings load may cause data loss
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Decrypting secrets may fail silently and return empty string
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Singleton pattern may lead to issues with multiple threads or processes
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential KeyError when accessing 'chunk_index' key in issue dictionary
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential KeyError when accessing 'total_chunks' key in CoverageMap
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential KeyError in compute_rule_trace if active_signal_names is empty
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
No error handling for _hash_inputs and _hash_output
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential KeyError: provider_severities dictionary may not contain all provider IDs
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential IndexError: max(vals) - min(vals) may raise IndexError if vals is empty
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential AttributeError: issue.description may be None
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential ZeroDivisionError: issue.source_count may be zero
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential AttributeError when accessing issue['file'] or issue['type']
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential KeyError when accessing issue['_provider']
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The _action_map dictionary does not handle the case where the attention level is not one of 'routine', 'review', or 'critical'.
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The build_proof_bundle function is called without error handling, which could lead to unexpected behavior if an exception is thrown.
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The _same_issue function does not handle the case where the 'type' or 'file' key is missing from the issue dictionary
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The function `changed_files` does not handle the case when `base_ref` is not a valid Git reference.
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The `current_branch` function does not handle the case when the repository is in a detached HEAD state.
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential JSON parsing error in 'guard_truncation' function
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential error in 'call_ollama' function when 'base_url' parameter is empty
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential null pointer exception: `api_key` or `cfg` might be null
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential threading issue: `self._providers` list is not thread-safe
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential issue with load_prompt() function where it does not handle the case where the prompt file does not exist and logging does not capture the exception.
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
validate_issues() function does not handle the case where the raw issue list is None, which could lead to a TypeError.
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Imports os inside resolve_api_keys function despite being already imported at module level; may indicate unnecessary import and potential shadowing
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Printing raw provider error messages may expose internal exception details or sensitive information to the end user.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Environment variable NEXAVERIFY_SMOKE_CHECK is used without validation, allowing an attacker to trigger the smoke‑check path unintentionally
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
The local secret key file is only chmod'ed on non-Windows platforms; on Windows the file may have overly permissive permissions, exposing encryption keys.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Direct equality check of hashes may allow timing attacks; use constant-time comparison like hmac.compare_digest
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Path returned by git diff is not validated for directory traversal, allowing potentially unsafe relative paths to be processed.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Symlink files could bypass the path traversal check if a symlink resolves outside the project root after the commonpath check; add explicit resolve and containment verification.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
CSS style injects raw variable score_col into style attribute without sanitization, which could be exploited for CSS injection if score_col is not a trusted value
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
License cache file is written without restrictive permissions, potentially exposing the HMAC signature and cache contents to other users
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Folder paths are logged with self._log, potentially exposing sensitive user data in logs.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Web browser is opened directly from UI via webbrowser.open without validation; if PROVIDER_SETUP data is compromised, it could be used for phishing.
Detected by: ✓ cerebras ×0.8 1/3 provider(s) agreed
Potential N+1 query issue with 'report.provider_stats' and 'report.failed_providers'
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential information leak through logging of 'exc' exception
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential security vulnerability with unvalidated API keys in resolve_api_keys function
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential security vulnerability with missing input validation for --scan argument
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
API call missing timeout in _launch_ui function where MainWindow is instantiated
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
No validation is performed on environment variables which could lead to security vulnerabilities
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Hardcoded secrets detected
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Improper Input Validation detected
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
XSS detected
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The code uses the 'os' module to access environment variables, which could be a security risk if not properly validated.
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
API call missing timeout
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Heavy library used for a standard library capable task
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
API calls are made without a timeout, which could lead to financial losses due to unpredictable API response times.
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The context_map is passed to the LLMManager without any validation or sanitization, potentially allowing an attacker to inject malicious context headers.
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The LLMManager.analyze_chunks method makes API calls in a loop without any timeout or retry mechanism, which could lead to financial losses due to timeout or network issues.
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
API call missing timeout in 'comparison = compare_against_previous(load_history(output_dir), build_history_entry(project_path=folder, scan_mode=scan_mode, timestamp=run_timestamp, report=report, output_paths={}))'
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential data exposure due to plaintext storage of Ollama base URL
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Insecure encryption method used for secrets
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Windows-only DPAPI encryption may not be secure on other platforms
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Local secret key file permissions may be insecure
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential for timing attacks due to lack of timeout in API calls
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential data tampering vulnerability in ConsensusOutput class
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential N+1 query issue in MetaEngine class
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential hash collision vulnerability in _hash_proof_chain
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential information disclosure: issues and conflicts may contain sensitive data
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Missing API call timeout
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential performance issue: large number of issues and conflicts may impact system performance
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The build_proof_bundle function may be vulnerable to a denial of service attack if it is called with malicious input.
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The MetaIssue_cls may be vulnerable to a data injection attack if it is not properly validated.
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The build_proof_bundle function is called inside a loop, which could lead to performance issues and increased costs.
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The `subprocess.run` function is used with the `capture_output=True` argument, which can lead to security vulnerabilities if not handled properly.
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The `subprocess.run` function is used without a timeout, which can lead to infinite waits and increased resource usage.
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential DoS vulnerability if arbiter_summary is extremely large
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Missing timeout for load_history function call
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Unvalidated user input in 'scan_mode' parameter
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential for excessive API calls without proper rate limiting
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential information disclosure: logging of sensitive information like API keys or provider IDs
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential API call without timeout: `caller` function call does not have a timeout
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
The load_prompt() function makes an API call to load the prompt, which could lead to additional costs if not properly handled.
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Potential command injection vulnerability in 'how_to_verify' string construction
Detected by: ✓ groq ×0.7 1/3 provider(s) agreed
Call to get_ollama_recommendation may perform an external API request without explicit timeout handling
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
API call to LLM providers via LLMManager.analyze_chunks may lack a timeout, risking hanging calls that can incur cost
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed
call_ollama does not pass an explicit timeout to the OpenAI chat completion request; relies on http_client timeout only which may be ignored in some client implementations
Detected by: ✓ cerebras ×0.7 1/3 provider(s) agreed