Static site #12
Static site #12
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
This is the final PR Bugbot will review for you during this billing cycle
Your free Bugbot reviews will reset on February 6
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
| <div class="result-header"> | ||
| <div> | ||
| <div class="result-title">${repo.name}</div> | ||
| <div class="result-sub">${repo.languageFocus} focus</div> |
There was a problem hiding this comment.
Inconsistent HTML escaping creates XSS vulnerability
The escapeHtml function is defined and correctly used for some properties like sample.identifier, sample.assetType, and sample.path, but is inconsistently applied. The values repo.name, repo.languageFocus, and item.label are inserted directly into innerHTML without escaping. While the data currently comes from controlled JSON files, this pattern creates an XSS vulnerability if the data source changes or if malicious data is introduced into the results.
Additional Locations (1)
| {"assetType":"algorithm","identifier":"PBKDF2","path":"/home/isaace/Projects/cipherscope/.scans/django/tests/auth_tests/test_hashers.py","evidence":{"line":391,"column":27},"metadata":{"primitive":"kdf"}} | ||
| {"assetType":"algorithm","identifier":"PBKDF2","path":"/home/isaace/Projects/cipherscope/.scans/django/tests/auth_tests/test_hashers.py","evidence":{"line":412,"column":27},"metadata":{"primitive":"kdf"}} | ||
| {"assetType":"algorithm","identifier":"SHA-1","path":"/home/isaace/Projects/cipherscope/.scans/django/tests/file_uploads/tests.py","evidence":{"line":115,"column":48},"metadata":{"primitive":"hash"}} | ||
| {"assetType":"algorithm","identifier":"SHA-1","path":"/home/isaace/Projects/cipherscope/.scans/django/tests/file_uploads/tests.py","evidence":{"line":120,"column":48},"metadata":{"primitive":"hash"}} |
There was a problem hiding this comment.
Local development paths accidentally committed in data files
The JSONL data files contain absolute local file system paths like /home/isaace/Projects/cipherscope/.scans/... which expose the developer's username and internal project structure. These paths appear to be output from a local scan that was committed directly without sanitization. The paths reveal internal development environment details that are likely not intended to be public.
Additional Locations (2)
| nistQuantumSecurityLevel = 0 | ||
| symbol_patterns = [ | ||
| "\\bRSA_", | ||
| "\\bEVP_PKEY_RSA", |
There was a problem hiding this comment.
RSA EVP API detection patterns removed without replacement
The refactoring removes \\bEVP_PKEY_RSA from RSA detection patterns but unlike DSA (which received replacement patterns like EVP_PKEY_CTX_new_id\\s*\\(\\s*EVP_PKEY_DSA and EVP_PKEY_CTX_new_from_name), RSA did not receive equivalent replacements. This means RSA usage via the EVP API (e.g., EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL)) will no longer be detected while the equivalent DSA usage will be. The detection is now inconsistent between RSA and DSA algorithms.
Note
Builds a public static results site and broadens detection coverage across libraries.
vercel.json,www/app.js, and JSONL datasets (www/data/*.jsonl) to render/download scan resultspatterns.toml:(; avoid overly broad constants) forRSA,DSA,EC_KEY,ECDSA,ED25519,X509,AES*SHA-256function calls, AES modes) and refine PyCA RSA type matcheshashlib,hmac,sslAPIs and detailed algorithm definitions (SHA family, MD5, BLAKE2, PBKDF2, scrypt, HMAC)openssl_comprehensive/expected.jsonl) to adjust DSA evidence column positionWritten by Cursor Bugbot for commit 06b2c79. This will update automatically on new commits. Configure here.