{ "score": 45, "grade": "D", "gradeLabel": "Significant security risks", "totalFindings": 59, "totalDepVulns": 0, "categories": { "secrets": { "label": "Secrets", "findingCount": 0, "deduction": 0, "counts": { "critical": 0, "high": 0, "medium": 0, "low": 0 } }, "injection": { "label": "Code Vulnerabilities", "findingCount": 7, "deduction": 15, "counts": { "critical": 0, "high": 0, "medium": 7, "low": 0 } }, "deps": { "label": "Dependencies", "findingCount": 0, "deduction": 0, "counts": { "critical": 0, "high": 0, "medium": 0, "low": 0 } }, "auth": { "label": "Auth & Access Control", "findingCount": 0, "deduction": 0, "counts": { "critical": 0, "high": 0, "medium": 0, "low": 0 } }, "config": { "label": "Configuration", "findingCount": 4, "deduction": 10, "counts": { "critical": 0, "high": 4, "medium": 0, "low": 0 } }, "supply-chain": { "label": "Supply Chain", "findingCount": 36, "deduction": 10, "counts": { "critical": 0, "high": 1, "medium": 35, "low": 0 } }, "api": { "label": "API Security", "findingCount": 2, "deduction": 10, "counts": { "critical": 0, "high": 2, "medium": 0, "low": 0 } }, "llm": { "label": "AI/LLM Security", "findingCount": 10, "deduction": 10, "counts": { "critical": 0, "high": 0, "medium": 10, "low": 0 } } }, "findings": [ { "file": "/code/xf/GIA/requirements.txt", "line": 26, "severity": "high", "category": "supply-chain", "rule": "GIT_PYTHON_DEP", "title": "Git/URL Python Dependency: git+https://git.example.invalid/vendor/django-crud-mixins", "description": "Installing from git/URL bypasses PyPI integrity checks.", "fix": "Publish to PyPI or pin to a specific commit hash", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/Dockerfile", "line": 25, "severity": "high", "category": "config", "rule": "DOCKER_RUN_AS_ROOT", "title": "Docker: Running as Root", "description": "No USER instruction found. Container runs as root by default.", "fix": "Add USER nonroot before CMD/ENTRYPOINT", "cwe": "CWE-250", "owasp": "A05:2021" }, { "file": "/code/xf/GIA/Dockerfile", "line": 27, "severity": "high", "category": "config", "rule": "DOCKER_RUN_AS_ROOT", "title": "Docker: Running as Root", "description": "No USER instruction found. Container runs as root by default.", "fix": "Add USER nonroot before CMD/ENTRYPOINT", "cwe": "CWE-250", "owasp": "A05:2021" }, { "file": "/code/xf/GIA/Dockerfile", "line": 29, "severity": "high", "category": "config", "rule": "DOCKER_RUN_AS_ROOT", "title": "Docker: Running as Root", "description": "No USER instruction found. Container runs as root by default.", "fix": "Add USER nonroot before CMD/ENTRYPOINT", "cwe": "CWE-250", "owasp": "A05:2021" }, { "file": "/code/xf/GIA/Dockerfile", "line": 30, "severity": "high", "category": "config", "rule": "DOCKER_RUN_AS_ROOT", "title": "Docker: Running as Root", "description": "No USER instruction found. Container runs as root by default.", "fix": "Add USER nonroot before CMD/ENTRYPOINT", "cwe": "CWE-250", "owasp": "A05:2021" }, { "file": "/code/xf/GIA/core/clients/whatsapp.py", "line": 3375, "severity": "high", "category": "api", "rule": "API_UPLOAD_NO_TYPE_CHECK", "title": "API: File Upload Without Type Validation", "description": "File upload using original filename without type validation.", "fix": "Validate file extension and MIME type. Generate random filenames for storage.", "cwe": "CWE-434", "owasp": "A04:2021" }, { "file": "/code/xf/GIA/core/clients/xmpp.py", "line": 53, "severity": "high", "category": "api", "rule": "API_UPLOAD_NO_TYPE_CHECK", "title": "API: File Upload Without Type Validation", "description": "File upload using original filename without type validation.", "fix": "Validate file extension and MIME type. Generate random filenames for storage.", "cwe": "CWE-434", "owasp": "A04:2021" }, { "file": "/code/xf/GIA/app/local_settings.py", "line": 10, "severity": "medium", "category": "ssrf", "rule": "SSRF_INTERNAL_IP", "title": "SSRF: Internal IP Pattern", "description": "Internal IP address in code. Verify it is not reachable via user-controlled URLs.", "fix": "Block private IP ranges in URL validation for user-supplied URLs", "cwe": "CWE-918", "owasp": "A10:2021" }, { "file": "/code/xf/GIA/app/local_settings.py", "line": 44, "severity": "medium", "category": "ssrf", "rule": "SSRF_INTERNAL_IP", "title": "SSRF: Internal IP Pattern", "description": "Internal IP address in code. Verify it is not reachable via user-controlled URLs.", "fix": "Block private IP ranges in URL validation for user-supplied URLs", "cwe": "CWE-918", "owasp": "A10:2021" }, { "file": "/code/xf/GIA/app/local_settings.py", "line": 72, "severity": "medium", "category": "ssrf", "rule": "SSRF_INTERNAL_IP", "title": "SSRF: Internal IP Pattern", "description": "Internal IP address in code. Verify it is not reachable via user-controlled URLs.", "fix": "Block private IP ranges in URL validation for user-supplied URLs", "cwe": "CWE-918", "owasp": "A10:2021" }, { "file": "/code/xf/GIA/app/settings.py", "line": 192, "severity": "medium", "category": "ssrf", "rule": "SSRF_INTERNAL_IP", "title": "SSRF: Internal IP Pattern", "description": "Internal IP address in code. Verify it is not reachable via user-controlled URLs.", "fix": "Block private IP ranges in URL validation for user-supplied URLs", "cwe": "CWE-918", "owasp": "A10:2021" }, { "file": "/code/xf/GIA/app/settings.py", "line": 193, "severity": "medium", "category": "ssrf", "rule": "SSRF_INTERNAL_IP", "title": "SSRF: Internal IP Pattern", "description": "Internal IP address in code. Verify it is not reachable via user-controlled URLs.", "fix": "Block private IP ranges in URL validation for user-supplied URLs", "cwe": "CWE-918", "owasp": "A10:2021" }, { "file": "/code/xf/GIA/core/memory/search_backend.py", "line": 143, "severity": "medium", "category": "ssrf", "rule": "SSRF_INTERNAL_IP", "title": "SSRF: Internal IP Pattern", "description": "Internal IP address in code. Verify it is not reachable via user-controlled URLs.", "fix": "Block private IP ranges in URL validation for user-supplied URLs", "cwe": "CWE-918", "owasp": "A10:2021" }, { "file": "/code/xf/GIA/scripts/quadlet/render_units.py", "line": 187, "severity": "medium", "category": "ssrf", "rule": "SSRF_INTERNAL_IP", "title": "SSRF: Internal IP Pattern", "description": "Internal IP address in code. Verify it is not reachable via user-controlled URLs.", "fix": "Block private IP ranges in URL validation for user-supplied URLs", "cwe": "CWE-918", "owasp": "A10:2021" }, { "file": "/code/xf/GIA/requirements.txt", "line": 1, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: wheel", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: wheel==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 2, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: uwsgi", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: uwsgi==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 3, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: django", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: django==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 4, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: pre-commit", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: pre-commit==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 6, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: crispy-bulma", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: crispy-bulma==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 9, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: django-rest-framework", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: django-rest-framework==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 10, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: uvloop", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: uvloop==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 11, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: django-htmx", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: django-htmx==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 12, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: cryptography", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: cryptography==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 13, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: django-debug-toolbar", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: django-debug-toolbar==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 14, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: django-debug-toolbar-template-profiler", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: django-debug-toolbar-template-profiler==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 15, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: orjson", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: orjson==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 16, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: msgpack", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: msgpack==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 17, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: apscheduler", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: apscheduler==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 18, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: watchfiles", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: watchfiles==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 19, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: django-otp", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: django-otp==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 20, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: django-two-factor-auth", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: django-two-factor-auth==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 21, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: django-otp-yubikey", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: django-otp-yubikey==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 22, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: phonenumbers", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: phonenumbers==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 23, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: qrcode", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: qrcode==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 24, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: pydantic", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: pydantic==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 26, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: git+https://git.example.invalid/vendor/django-crud-mixins", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: git+https://git.example.invalid/vendor/django-crud-mixins==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 29, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: redis<7", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: redis<7==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 30, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: hiredis", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: hiredis==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 31, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: django-cachalot", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: django-cachalot==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 32, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: django_redis", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: django_redis==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 33, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: requests", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: requests==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 34, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: signalbot", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: signalbot==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 35, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: openai", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: openai==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 36, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: aiograpi", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: aiograpi==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 37, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: aiomysql", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: aiomysql==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 38, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: slixmpp", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: slixmpp==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 39, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: neonize", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: neonize==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 40, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: watchdog", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: watchdog==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/requirements.txt", "line": 41, "severity": "medium", "category": "supply-chain", "rule": "UNPINNED_PYTHON_DEP", "title": "Unpinned Python Dependency: uvicorn", "description": "Python dependency without version pin. Pin to a specific version for reproducible builds.", "fix": "Pin version: uvicorn==x.y.z", "cwe": null, "owasp": null }, { "file": "/code/xf/GIA/core/clients/signalapi.py", "line": 398, "severity": "medium", "category": "llm", "rule": "LLM_NO_OUTPUT_FILTER", "title": "LLM Output Without Filtering", "description": "LLM output used directly without filtering. May contain sensitive info or hallucinations.", "fix": "Filter LLM output before displaying: remove PII, validate against expected format", "cwe": "CWE-200", "owasp": "LLM02" }, { "file": "/code/xf/GIA/core/views/osint.py", "line": 726, "severity": "medium", "category": "llm", "rule": "LLM_RAG_NO_VALIDATION", "title": "RAG Pipeline Without Input Validation", "description": "User input passed directly to vector search/embedding without validation.", "fix": "Validate and sanitize input before embedding. Limit query length.", "cwe": "CWE-20", "owasp": "LLM08" }, { "file": "/code/xf/GIA/core/views/osint.py", "line": 731, "severity": "medium", "category": "llm", "rule": "LLM_RAG_NO_VALIDATION", "title": "RAG Pipeline Without Input Validation", "description": "User input passed directly to vector search/embedding without validation.", "fix": "Validate and sanitize input before embedding. Limit query length.", "cwe": "CWE-20", "owasp": "LLM08" }, { "file": "/code/xf/GIA/core/views/osint.py", "line": 745, "severity": "medium", "category": "llm", "rule": "LLM_RAG_NO_VALIDATION", "title": "RAG Pipeline Without Input Validation", "description": "User input passed directly to vector search/embedding without validation.", "fix": "Validate and sanitize input before embedding. Limit query length.", "cwe": "CWE-20", "owasp": "LLM08" }, { "file": "/code/xf/GIA/core/views/osint.py", "line": 1364, "severity": "medium", "category": "llm", "rule": "LLM_RAG_NO_VALIDATION", "title": "RAG Pipeline Without Input Validation", "description": "User input passed directly to vector search/embedding without validation.", "fix": "Validate and sanitize input before embedding. Limit query length.", "cwe": "CWE-20", "owasp": "LLM08" }, { "file": "/code/xf/GIA/core/views/osint.py", "line": 1369, "severity": "medium", "category": "llm", "rule": "LLM_RAG_NO_VALIDATION", "title": "RAG Pipeline Without Input Validation", "description": "User input passed directly to vector search/embedding without validation.", "fix": "Validate and sanitize input before embedding. Limit query length.", "cwe": "CWE-20", "owasp": "LLM08" }, { "file": "/code/xf/GIA/core/views/osint.py", "line": 1383, "severity": "medium", "category": "llm", "rule": "LLM_RAG_NO_VALIDATION", "title": "RAG Pipeline Without Input Validation", "description": "User input passed directly to vector search/embedding without validation.", "fix": "Validate and sanitize input before embedding. Limit query length.", "cwe": "CWE-20", "owasp": "LLM08" }, { "file": "/code/xf/GIA/core/views/signal.py", "line": 181, "severity": "medium", "category": "llm", "rule": "LLM_NO_OUTPUT_FILTER", "title": "LLM Output Without Filtering", "description": "LLM output used directly without filtering. May contain sensitive info or hallucinations.", "fix": "Filter LLM output before displaying: remove PII, validate against expected format", "cwe": "CWE-200", "owasp": "LLM02" }, { "file": "/code/xf/GIA/core/views/signal.py", "line": 185, "severity": "medium", "category": "llm", "rule": "LLM_NO_OUTPUT_FILTER", "title": "LLM Output Without Filtering", "description": "LLM output used directly without filtering. May contain sensitive info or hallucinations.", "fix": "Filter LLM output before displaying: remove PII, validate against expected format", "cwe": "CWE-200", "owasp": "LLM02" }, { "file": "/code/xf/GIA/core/views/signal.py", "line": 188, "severity": "medium", "category": "llm", "rule": "LLM_NO_OUTPUT_FILTER", "title": "LLM Output Without Filtering", "description": "LLM output used directly without filtering. May contain sensitive info or hallucinations.", "fix": "Filter LLM output before displaying: remove PII, validate against expected format", "cwe": "CWE-200", "owasp": "LLM02" } ], "depVulns": [], "remediationPlan": [ { "priority": 1, "severity": "high", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Git/URL Python Dependency: git+https://git.example.invalid/vendor/django-crud-mixins", "file": "requirements.txt:26", "action": "Publish to PyPI or pin to a specific commit hash", "effort": "medium" }, { "priority": 2, "severity": "high", "category": "config", "categoryLabel": "CONFIGURATION", "title": "Docker: Running as Root", "file": "Dockerfile:25", "action": "Add USER nonroot before CMD/ENTRYPOINT", "effort": "low" }, { "priority": 3, "severity": "high", "category": "config", "categoryLabel": "CONFIGURATION", "title": "Docker: Running as Root", "file": "Dockerfile:27", "action": "Add USER nonroot before CMD/ENTRYPOINT", "effort": "low" }, { "priority": 4, "severity": "high", "category": "config", "categoryLabel": "CONFIGURATION", "title": "Docker: Running as Root", "file": "Dockerfile:29", "action": "Add USER nonroot before CMD/ENTRYPOINT", "effort": "low" }, { "priority": 5, "severity": "high", "category": "config", "categoryLabel": "CONFIGURATION", "title": "Docker: Running as Root", "file": "Dockerfile:30", "action": "Add USER nonroot before CMD/ENTRYPOINT", "effort": "low" }, { "priority": 6, "severity": "high", "category": "api", "categoryLabel": "API SECURITY", "title": "API: File Upload Without Type Validation", "file": "core/clients/whatsapp.py:3375", "action": "Validate file extension and MIME type. Generate random filenames for storage.", "effort": "medium" }, { "priority": 7, "severity": "high", "category": "api", "categoryLabel": "API SECURITY", "title": "API: File Upload Without Type Validation", "file": "core/clients/xmpp.py:53", "action": "Validate file extension and MIME type. Generate random filenames for storage.", "effort": "medium" }, { "priority": 8, "severity": "medium", "category": "ssrf", "categoryLabel": "SSRF", "title": "SSRF: Internal IP Pattern", "file": "app/local_settings.py:10", "action": "Block private IP ranges in URL validation for user-supplied URLs", "effort": "medium" }, { "priority": 9, "severity": "medium", "category": "ssrf", "categoryLabel": "SSRF", "title": "SSRF: Internal IP Pattern", "file": "app/local_settings.py:44", "action": "Block private IP ranges in URL validation for user-supplied URLs", "effort": "medium" }, { "priority": 10, "severity": "medium", "category": "ssrf", "categoryLabel": "SSRF", "title": "SSRF: Internal IP Pattern", "file": "app/local_settings.py:72", "action": "Block private IP ranges in URL validation for user-supplied URLs", "effort": "medium" }, { "priority": 11, "severity": "medium", "category": "ssrf", "categoryLabel": "SSRF", "title": "SSRF: Internal IP Pattern", "file": "app/settings.py:192", "action": "Block private IP ranges in URL validation for user-supplied URLs", "effort": "medium" }, { "priority": 12, "severity": "medium", "category": "ssrf", "categoryLabel": "SSRF", "title": "SSRF: Internal IP Pattern", "file": "app/settings.py:193", "action": "Block private IP ranges in URL validation for user-supplied URLs", "effort": "medium" }, { "priority": 13, "severity": "medium", "category": "ssrf", "categoryLabel": "SSRF", "title": "SSRF: Internal IP Pattern", "file": "core/memory/search_backend.py:143", "action": "Block private IP ranges in URL validation for user-supplied URLs", "effort": "medium" }, { "priority": 14, "severity": "medium", "category": "ssrf", "categoryLabel": "SSRF", "title": "SSRF: Internal IP Pattern", "file": "scripts/quadlet/render_units.py:187", "action": "Block private IP ranges in URL validation for user-supplied URLs", "effort": "medium" }, { "priority": 15, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: wheel", "file": "requirements.txt:1", "action": "Pin version: wheel==x.y.z", "effort": "medium" }, { "priority": 16, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: uwsgi", "file": "requirements.txt:2", "action": "Pin version: uwsgi==x.y.z", "effort": "medium" }, { "priority": 17, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: django", "file": "requirements.txt:3", "action": "Pin version: django==x.y.z", "effort": "medium" }, { "priority": 18, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: pre-commit", "file": "requirements.txt:4", "action": "Pin version: pre-commit==x.y.z", "effort": "medium" }, { "priority": 19, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: crispy-bulma", "file": "requirements.txt:6", "action": "Pin version: crispy-bulma==x.y.z", "effort": "medium" }, { "priority": 20, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: django-rest-framework", "file": "requirements.txt:9", "action": "Pin version: django-rest-framework==x.y.z", "effort": "medium" }, { "priority": 21, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: uvloop", "file": "requirements.txt:10", "action": "Pin version: uvloop==x.y.z", "effort": "medium" }, { "priority": 22, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: django-htmx", "file": "requirements.txt:11", "action": "Pin version: django-htmx==x.y.z", "effort": "medium" }, { "priority": 23, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: cryptography", "file": "requirements.txt:12", "action": "Pin version: cryptography==x.y.z", "effort": "medium" }, { "priority": 24, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: django-debug-toolbar", "file": "requirements.txt:13", "action": "Pin version: django-debug-toolbar==x.y.z", "effort": "medium" }, { "priority": 25, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: django-debug-toolbar-template-profiler", "file": "requirements.txt:14", "action": "Pin version: django-debug-toolbar-template-profiler==x.y.z", "effort": "medium" }, { "priority": 26, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: orjson", "file": "requirements.txt:15", "action": "Pin version: orjson==x.y.z", "effort": "medium" }, { "priority": 27, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: msgpack", "file": "requirements.txt:16", "action": "Pin version: msgpack==x.y.z", "effort": "medium" }, { "priority": 28, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: apscheduler", "file": "requirements.txt:17", "action": "Pin version: apscheduler==x.y.z", "effort": "medium" }, { "priority": 29, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: watchfiles", "file": "requirements.txt:18", "action": "Pin version: watchfiles==x.y.z", "effort": "medium" }, { "priority": 30, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: django-otp", "file": "requirements.txt:19", "action": "Pin version: django-otp==x.y.z", "effort": "medium" }, { "priority": 31, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: django-two-factor-auth", "file": "requirements.txt:20", "action": "Pin version: django-two-factor-auth==x.y.z", "effort": "medium" }, { "priority": 32, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: django-otp-yubikey", "file": "requirements.txt:21", "action": "Pin version: django-otp-yubikey==x.y.z", "effort": "medium" }, { "priority": 33, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: phonenumbers", "file": "requirements.txt:22", "action": "Pin version: phonenumbers==x.y.z", "effort": "medium" }, { "priority": 34, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: qrcode", "file": "requirements.txt:23", "action": "Pin version: qrcode==x.y.z", "effort": "medium" }, { "priority": 35, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: pydantic", "file": "requirements.txt:24", "action": "Pin version: pydantic==x.y.z", "effort": "medium" }, { "priority": 36, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: git+https://git.example.invalid/vendor/django-crud-mixins", "file": "requirements.txt:26", "action": "Pin version: git+https://git.example.invalid/vendor/django-crud-mixins==x.y.z", "effort": "medium" }, { "priority": 37, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: redis<7", "file": "requirements.txt:29", "action": "Pin version: redis<7==x.y.z", "effort": "medium" }, { "priority": 38, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: hiredis", "file": "requirements.txt:30", "action": "Pin version: hiredis==x.y.z", "effort": "medium" }, { "priority": 39, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: django-cachalot", "file": "requirements.txt:31", "action": "Pin version: django-cachalot==x.y.z", "effort": "medium" }, { "priority": 40, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: django_redis", "file": "requirements.txt:32", "action": "Pin version: django_redis==x.y.z", "effort": "medium" }, { "priority": 41, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: requests", "file": "requirements.txt:33", "action": "Pin version: requests==x.y.z", "effort": "medium" }, { "priority": 42, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: signalbot", "file": "requirements.txt:34", "action": "Pin version: signalbot==x.y.z", "effort": "medium" }, { "priority": 43, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: openai", "file": "requirements.txt:35", "action": "Pin version: openai==x.y.z", "effort": "medium" }, { "priority": 44, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: aiograpi", "file": "requirements.txt:36", "action": "Pin version: aiograpi==x.y.z", "effort": "medium" }, { "priority": 45, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: aiomysql", "file": "requirements.txt:37", "action": "Pin version: aiomysql==x.y.z", "effort": "medium" }, { "priority": 46, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: slixmpp", "file": "requirements.txt:38", "action": "Pin version: slixmpp==x.y.z", "effort": "medium" }, { "priority": 47, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: neonize", "file": "requirements.txt:39", "action": "Pin version: neonize==x.y.z", "effort": "medium" }, { "priority": 48, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: watchdog", "file": "requirements.txt:40", "action": "Pin version: watchdog==x.y.z", "effort": "medium" }, { "priority": 49, "severity": "medium", "category": "supply-chain", "categoryLabel": "SUPPLY CHAIN", "title": "Unpinned Python Dependency: uvicorn", "file": "requirements.txt:41", "action": "Pin version: uvicorn==x.y.z", "effort": "medium" }, { "priority": 50, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "LLM Output Without Filtering", "file": "core/clients/signalapi.py:398", "action": "Filter LLM output before displaying: remove PII, validate against expected format", "effort": "high" }, { "priority": 51, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "RAG Pipeline Without Input Validation", "file": "core/views/osint.py:726", "action": "Validate and sanitize input before embedding. Limit query length.", "effort": "high" }, { "priority": 52, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "RAG Pipeline Without Input Validation", "file": "core/views/osint.py:731", "action": "Validate and sanitize input before embedding. Limit query length.", "effort": "high" }, { "priority": 53, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "RAG Pipeline Without Input Validation", "file": "core/views/osint.py:745", "action": "Validate and sanitize input before embedding. Limit query length.", "effort": "high" }, { "priority": 54, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "RAG Pipeline Without Input Validation", "file": "core/views/osint.py:1364", "action": "Validate and sanitize input before embedding. Limit query length.", "effort": "high" }, { "priority": 55, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "RAG Pipeline Without Input Validation", "file": "core/views/osint.py:1369", "action": "Validate and sanitize input before embedding. Limit query length.", "effort": "high" }, { "priority": 56, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "RAG Pipeline Without Input Validation", "file": "core/views/osint.py:1383", "action": "Validate and sanitize input before embedding. Limit query length.", "effort": "high" }, { "priority": 57, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "LLM Output Without Filtering", "file": "core/views/signal.py:181", "action": "Filter LLM output before displaying: remove PII, validate against expected format", "effort": "high" }, { "priority": 58, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "LLM Output Without Filtering", "file": "core/views/signal.py:185", "action": "Filter LLM output before displaying: remove PII, validate against expected format", "effort": "high" }, { "priority": 59, "severity": "medium", "category": "llm", "categoryLabel": "AI/LLM SECURITY", "title": "LLM Output Without Filtering", "file": "core/views/signal.py:188", "action": "Filter LLM output before displaying: remove PII, validate against expected format", "effort": "high" } ], "recon": { "frameworks": [ "django" ], "languages": [ "python" ], "apiRoutes": [ "app/urls.py", "core/management/commands/backfill_xmpp_attachment_urls.py" ], "authPatterns": [], "databases": [], "cloudProviders": [], "frontendExposure": [], "packageManagers": [ "pip" ], "cicd": [], "hasDockerfile": true, "hasTerraform": false, "hasKubernetes": false, "envFiles": [], "configFiles": [] }, "agents": [ { "agent": "InjectionTester", "category": "injection", "findingCount": 0, "success": true }, { "agent": "AuthBypassAgent", "category": "auth", "findingCount": 0, "success": true }, { "agent": "SSRFProber", "category": "ssrf", "findingCount": 7, "success": true }, { "agent": "SupplyChainAudit", "category": "supply-chain", "findingCount": 36, "success": true }, { "agent": "ConfigAuditor", "category": "config", "findingCount": 4, "success": true }, { "agent": "LLMRedTeam", "category": "llm", "findingCount": 10, "success": true }, { "agent": "MobileScanner", "category": "mobile", "findingCount": 0, "success": true }, { "agent": "GitHistoryScanner", "category": "history", "findingCount": 0, "success": true }, { "agent": "CICDScanner", "category": "cicd", "findingCount": 0, "success": true }, { "agent": "APIFuzzer", "category": "api", "findingCount": 2, "success": true } ] }