npm - @fabasoad/sarif-to-slack - Versions diffs - 0.2.5 → 1.1.0 - Mend

@fabasoad/sarif-to-slack 0.2.5 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (192) hide show

package/.github/workflows/release.yml +1 -1
package/.github/workflows/security.yml +0 -1
package/.github/workflows/send-sarif-to-slack.yml +145 -73
package/.gitleaksignore +8 -0
package/.pre-commit-config.yaml +3 -3
package/.tool-versions +1 -1
package/dist/Logger.js +4 -1
package/dist/SarifToSlackClient.d.ts +33 -0
package/dist/SarifToSlackClient.d.ts.map +1 -0
package/dist/SarifToSlackClient.js +178 -0
package/dist/SlackMessageBuilder.js +34 -82
package/dist/System.d.ts +1 -3
package/dist/System.d.ts.map +1 -1
package/dist/System.js +10 -3
package/dist/index.cjs +826 -472
package/dist/index.d.ts +35 -12
package/dist/index.d.ts.map +1 -1
package/dist/index.js +36 -12
package/dist/model/Color.d.ts +80 -0
package/dist/model/Color.d.ts.map +1 -0
package/dist/model/Color.js +106 -0
package/dist/model/Finding.d.ts +2 -0
package/dist/model/Finding.d.ts.map +1 -0
package/dist/model/Finding.js +93 -0
package/dist/model/FindingsArray.d.ts +2 -0
package/dist/model/FindingsArray.d.ts.map +1 -0
package/dist/model/FindingsArray.js +24 -0
package/dist/processors/CodeQLProcessor.d.ts +2 -0
package/dist/processors/CodeQLProcessor.d.ts.map +1 -0
package/dist/processors/CodeQLProcessor.js +17 -0
package/dist/processors/CommonProcessor.d.ts +2 -0
package/dist/processors/CommonProcessor.d.ts.map +1 -0
package/dist/processors/CommonProcessor.js +84 -0
package/dist/processors/ProcessorFactory.d.ts +2 -0
package/dist/processors/ProcessorFactory.d.ts.map +1 -0
package/dist/processors/ProcessorFactory.js +22 -0
package/dist/processors/SnykProcessor.d.ts +2 -0
package/dist/processors/SnykProcessor.d.ts.map +1 -0
package/dist/processors/SnykProcessor.js +18 -0
package/dist/representations/CompactGroupByRepresentation.d.ts +2 -0
package/dist/representations/CompactGroupByRepresentation.d.ts.map +1 -0
package/dist/representations/CompactGroupByRepresentation.js +58 -0
package/dist/representations/CompactGroupByRunPerLevelRepresentation.d.ts +2 -0
package/dist/representations/CompactGroupByRunPerLevelRepresentation.d.ts.map +1 -0
package/dist/representations/CompactGroupByRunPerLevelRepresentation.js +13 -0
package/dist/representations/CompactGroupByRunPerSeverityRepresentation.d.ts +2 -0
package/dist/representations/CompactGroupByRunPerSeverityRepresentation.d.ts.map +1 -0
package/dist/representations/CompactGroupByRunPerSeverityRepresentation.js +13 -0
package/dist/representations/CompactGroupByRunRepresentation.d.ts +2 -0
package/dist/representations/CompactGroupByRunRepresentation.d.ts.map +1 -0
package/dist/representations/CompactGroupByRunRepresentation.js +39 -0
package/dist/representations/CompactGroupBySarifPerLevelRepresentation.d.ts +2 -0
package/dist/representations/CompactGroupBySarifPerLevelRepresentation.d.ts.map +1 -0
package/dist/representations/CompactGroupBySarifPerLevelRepresentation.js +13 -0
package/dist/representations/CompactGroupBySarifPerSeverityRepresentation.d.ts +2 -0
package/dist/representations/CompactGroupBySarifPerSeverityRepresentation.d.ts.map +1 -0
package/dist/representations/CompactGroupBySarifPerSeverityRepresentation.js +13 -0
package/dist/representations/CompactGroupBySarifRepresentation.d.ts +2 -0
package/dist/representations/CompactGroupBySarifRepresentation.d.ts.map +1 -0
package/dist/representations/CompactGroupBySarifRepresentation.js +40 -0
package/dist/representations/CompactGroupByToolNamePerLevelRepresentation.d.ts +2 -0
package/dist/representations/CompactGroupByToolNamePerLevelRepresentation.d.ts.map +1 -0
package/dist/representations/CompactGroupByToolNamePerLevelRepresentation.js +13 -0
package/dist/representations/CompactGroupByToolNamePerSeverityRepresentation.d.ts +2 -0
package/dist/representations/CompactGroupByToolNamePerSeverityRepresentation.d.ts.map +1 -0
package/dist/representations/CompactGroupByToolNamePerSeverityRepresentation.js +13 -0
package/dist/representations/CompactGroupByToolNameRepresentation.d.ts +2 -0
package/dist/representations/CompactGroupByToolNameRepresentation.d.ts.map +1 -0
package/dist/representations/CompactGroupByToolNameRepresentation.js +39 -0
package/dist/representations/CompactTotalPerLevelRepresentation.d.ts +2 -0
package/dist/representations/CompactTotalPerLevelRepresentation.d.ts.map +1 -0
package/dist/representations/CompactTotalPerLevelRepresentation.js +13 -0
package/dist/representations/CompactTotalPerSeverityRepresentation.d.ts +2 -0
package/dist/representations/CompactTotalPerSeverityRepresentation.d.ts.map +1 -0
package/dist/representations/CompactTotalPerSeverityRepresentation.js +13 -0
package/dist/representations/CompactTotalRepresentation.d.ts +2 -0
package/dist/representations/CompactTotalRepresentation.d.ts.map +1 -0
package/dist/representations/CompactTotalRepresentation.js +25 -0
package/dist/representations/Representation.d.ts +2 -0
package/dist/representations/Representation.d.ts.map +1 -0
package/dist/representations/Representation.js +28 -0
package/dist/representations/RepresentationFactory.d.ts +2 -0
package/dist/representations/RepresentationFactory.d.ts.map +1 -0
package/dist/representations/RepresentationFactory.js +37 -0
package/dist/sarif-to-slack.d.ts +347 -85
package/dist/tsdoc-metadata.json +1 -1
package/dist/types.d.ts +215 -51
package/dist/types.d.ts.map +1 -1
package/dist/types.js +225 -33
package/dist/utils/Comparators.d.ts +2 -0
package/dist/utils/Comparators.d.ts.map +1 -0
package/dist/utils/Comparators.js +18 -0
package/dist/utils/ExtendedArray.d.ts +2 -0
package/dist/utils/ExtendedArray.d.ts.map +1 -0
package/dist/utils/ExtendedArray.js +11 -0
package/dist/utils/FileUtils.d.ts +2 -0
package/dist/utils/FileUtils.d.ts.map +1 -0
package/dist/utils/FileUtils.js +51 -0
package/dist/utils/SarifUtils.js +20 -54
package/etc/sarif-to-slack.api.md +162 -99
package/jest.config.json +2 -2
package/package.json +7 -7
package/scripts/save-metadata.sh +12 -10
package/src/Logger.ts +4 -0
package/src/SarifToSlackClient.ts +202 -0
package/src/SlackMessageBuilder.ts +35 -115
package/src/System.ts +9 -2
package/src/index.ts +47 -20
package/src/model/Color.ts +195 -0
package/src/model/Finding.ts +137 -0
package/src/model/FindingsArray.ts +27 -0
package/src/processors/CodeQLProcessor.ts +19 -0
package/src/processors/CommonProcessor.ts +103 -0
package/src/processors/ProcessorFactory.ts +23 -0
package/src/processors/SnykProcessor.ts +19 -0
package/src/representations/CompactGroupByRepresentation.ts +67 -0
package/src/representations/CompactGroupByRunPerLevelRepresentation.ts +14 -0
package/src/representations/CompactGroupByRunPerSeverityRepresentation.ts +14 -0
package/src/representations/CompactGroupByRunRepresentation.ts +44 -0
package/src/representations/CompactGroupBySarifPerLevelRepresentation.ts +15 -0
package/src/representations/CompactGroupBySarifPerSeverityRepresentation.ts +15 -0
package/src/representations/CompactGroupBySarifRepresentation.ts +45 -0
package/src/representations/CompactGroupByToolNamePerLevelRepresentation.ts +15 -0
package/src/representations/CompactGroupByToolNamePerSeverityRepresentation.ts +15 -0
package/src/representations/CompactGroupByToolNameRepresentation.ts +44 -0
package/src/representations/CompactTotalPerLevelRepresentation.ts +14 -0
package/src/representations/CompactTotalPerSeverityRepresentation.ts +14 -0
package/src/representations/CompactTotalRepresentation.ts +27 -0
package/src/representations/Representation.ts +35 -0
package/src/representations/RepresentationFactory.ts +49 -0
package/src/types.ts +270 -53
package/src/utils/Comparators.ts +19 -0
package/src/utils/ExtendedArray.ts +11 -0
package/src/utils/FileUtils.ts +60 -0
package/src/utils/SarifUtils.ts +20 -72
package/test-data/sarif/codeql-python.sarif +1448 -1
package/test-data/sarif/codeql-typescript.sarif +3474 -1
package/test-data/sarif/grype-github-actions.sarif +65 -0
package/test-data/sarif/osv-scanner-composer.sarif +972 -0
package/test-data/sarif/osv-scanner-container.sarif +2278 -0
package/test-data/sarif/osv-scanner-gomodules.sarif +813 -0
package/test-data/sarif/osv-scanner-hex.sarif +147 -0
package/test-data/sarif/osv-scanner-maven.sarif +171 -0
package/test-data/sarif/osv-scanner-npm.sarif +627 -0
package/test-data/sarif/osv-scanner-pip.sarif +206 -0
package/test-data/sarif/osv-scanner-pipenv.sarif +243 -0
package/test-data/sarif/osv-scanner-pnpm.sarif +174 -0
package/test-data/sarif/osv-scanner-poetry.sarif +1893 -0
package/test-data/sarif/osv-scanner-rubygems.sarif +402 -0
package/test-data/sarif/osv-scanner-uv.sarif +206 -0
package/test-data/sarif/osv-scanner-yarn.sarif +5207 -0
package/test-data/sarif/runs-0.sarif +5 -0
package/test-data/sarif/runs-2-tools-2-results-0.sarif +1 -1
package/test-data/sarif/runs-2-tools-2.sarif +1 -1
package/test-data/sarif/runs-3-tools-2-results-0.sarif +1 -1
package/test-data/sarif/runs-3-tools-2.sarif +1 -1
package/test-data/sarif/tmp/codeql-csharp.sarif +1 -0
package/test-data/sarif/tmp/grype-container.sarif +1774 -0
package/test-data/sarif/tmp/runs-1-tools-1-results-0.sarif +18 -0
package/test-data/sarif/tmp/runs-2-tools-2.sarif +686 -0
package/test-data/sarif/trivy-iac.sarif +1 -1
package/tests/integration/SendSarifToSlack.spec.ts +95 -27
package/tsconfig.json +2 -0
package/dist/Processors.d.ts +0 -2
package/dist/Processors.d.ts.map +0 -1
package/dist/Processors.js +0 -61
package/dist/SarifToSlackService.d.ts +0 -39
package/dist/SarifToSlackService.d.ts.map +0 -1
package/dist/SarifToSlackService.js +0 -104
package/dist/metadata.d.ts +0 -2
package/dist/metadata.d.ts.map +0 -1
package/dist/metadata.js +0 -11
package/dist/model/SarifModelPerRun.d.ts +0 -2
package/dist/model/SarifModelPerRun.d.ts.map +0 -1
package/dist/model/SarifModelPerRun.js +0 -90
package/dist/model/SarifModelPerSarif.d.ts +0 -2
package/dist/model/SarifModelPerSarif.d.ts.map +0 -1
package/dist/model/SarifModelPerSarif.js +0 -102
package/dist/model/types.d.ts +0 -2
package/dist/model/types.d.ts.map +0 -1
package/dist/model/types.js +0 -49
package/dist/utils/SortUtils.d.ts +0 -2
package/dist/utils/SortUtils.d.ts.map +0 -1
package/dist/utils/SortUtils.js +0 -20
package/src/Processors.ts +0 -68
package/src/SarifToSlackService.ts +0 -117
package/src/metadata.ts +0 -10
package/src/model/SarifModelPerRun.ts +0 -120
package/src/model/SarifModelPerSarif.ts +0 -126
package/src/model/types.ts +0 -50
package/src/utils/SortUtils.ts +0 -33
package/tests/Processors.spec.ts +0 -76

package/test-data/sarif/codeql-python.sarif CHANGED Viewed

@@ -1 +1,1448 @@
-{"$schema":"https://json.schemastore.org/sarif-2.1.0.json","version":"2.1.0","runs":[{"tool":{"driver":{"name":"CodeQL","organization":"GitHub","semanticVersion":"2.19.0","notifications":[{"id":"py/diagnostics/successfully-extracted-files","name":"py/diagnostics/successfully-extracted-files","shortDescription":{"text":"Extracted Python files"},"fullDescription":{"text":"Lists all Python files in the source code directory that were extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["successfully-extracted-files"],"description":"Lists all Python files in the source code directory that were extracted.","id":"py/diagnostics/successfully-extracted-files","kind":"diagnostic","name":"Extracted Python files"}},{"id":"py/diagnostics/extraction-warnings","name":"py/diagnostics/extraction-warnings","shortDescription":{"text":"Python extraction warnings"},"fullDescription":{"text":"List all extraction warnings for Python files in the source code directory."},"defaultConfiguration":{"enabled":true},"properties":{"description":"List all extraction warnings for Python files in the source code directory.","id":"py/diagnostics/extraction-warnings","kind":"diagnostic","name":"Python extraction warnings"}},{"id":"py/baseline/expected-extracted-files","name":"py/baseline/expected-extracted-files","shortDescription":{"text":"Expected extracted files"},"fullDescription":{"text":"Files appearing in the source archive that are expected to be extracted."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["expected-extracted-files","telemetry"]}},{"id":"cli/sip-enablement","name":"cli/sip-enablement","shortDescription":{"text":"macOS SIP enablement status"},"fullDescription":{"text":"macOS SIP enablement status"},"defaultConfiguration":{"enabled":true}}],"rules":[{"id":"py/code-injection","name":"py/code-injection","shortDescription":{"text":"Code injection"},"fullDescription":{"text":"Interpreting unsanitized user input as code allows a malicious user to perform arbitrary code execution."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-094","external/cwe/cwe-095","external/cwe/cwe-116"],"description":"Interpreting unsanitized user input as code allows a malicious user to perform arbitrary\n              code execution.","id":"py/code-injection","kind":"path-problem","name":"Code injection","precision":"high","problem.severity":"error","security-severity":"9.3","sub-severity":"high"}},{"id":"py/stack-trace-exposure","name":"py/stack-trace-exposure","shortDescription":{"text":"Information exposure through an exception"},"fullDescription":{"text":"Leaking information about an exception, such as messages and stack traces, to an external user can expose implementation details that are useful to an attacker for developing a subsequent exploit."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-209","external/cwe/cwe-497"],"description":"Leaking information about an exception, such as messages and stack traces, to an\n              external user can expose implementation details that are useful to an attacker for\n              developing a subsequent exploit.","id":"py/stack-trace-exposure","kind":"path-problem","name":"Information exposure through an exception","precision":"high","problem.severity":"error","security-severity":"5.4"}},{"id":"py/url-redirection","name":"py/url-redirection","shortDescription":{"text":"URL redirection from remote source"},"fullDescription":{"text":"URL redirection based on unvalidated user input may cause redirection to malicious web sites."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-601"],"description":"URL redirection based on unvalidated user input\n              may cause redirection to malicious web sites.","id":"py/url-redirection","kind":"path-problem","name":"URL redirection from remote source","precision":"high","problem.severity":"error","security-severity":"6.1","sub-severity":"low"}},{"id":"py/weak-crypto-key","name":"py/weak-crypto-key","shortDescription":{"text":"Use of weak cryptographic key"},"fullDescription":{"text":"Use of a cryptographic key that is too small may allow the encryption to be broken."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-326"],"description":"Use of a cryptographic key that is too small may allow the encryption to be broken.","id":"py/weak-crypto-key","kind":"problem","name":"Use of weak cryptographic key","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"py/http-response-splitting","name":"py/http-response-splitting","shortDescription":{"text":"HTTP Response Splitting"},"fullDescription":{"text":"Writing user input directly to an HTTP header makes code vulnerable to attack by header splitting."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-113","external/cwe/cwe-079"],"description":"Writing user input directly to an HTTP header\n              makes code vulnerable to attack by header splitting.","id":"py/http-response-splitting","kind":"path-problem","name":"HTTP Response Splitting","precision":"high","problem.severity":"error","security-severity":"6.1"}},{"id":"py/nosql-injection","name":"py/nosql-injection","shortDescription":{"text":"NoSQL Injection"},"fullDescription":{"text":"Building a NoSQL query from user-controlled sources is vulnerable to insertion of malicious NoSQL code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-943"],"description":"Building a NoSQL query from user-controlled sources is vulnerable to insertion of\n              malicious NoSQL code by the user.","id":"py/nosql-injection","kind":"path-problem","name":"NoSQL Injection","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"py/insecure-default-protocol","name":"py/insecure-default-protocol","shortDescription":{"text":"Default version of SSL/TLS may be insecure"},"fullDescription":{"text":"Leaving the SSL/TLS version unspecified may result in an insecure default protocol being used."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-327"],"description":"Leaving the SSL/TLS version unspecified may result in an insecure\n              default protocol being used.","id":"py/insecure-default-protocol","kind":"problem","name":"Default version of SSL/TLS may be insecure","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"py/weak-cryptographic-algorithm","name":"py/weak-cryptographic-algorithm","shortDescription":{"text":"Use of a broken or weak cryptographic algorithm"},"fullDescription":{"text":"Using broken or weak cryptographic algorithms can compromise security."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-327"],"description":"Using broken or weak cryptographic algorithms can compromise security.","id":"py/weak-cryptographic-algorithm","kind":"problem","name":"Use of a broken or weak cryptographic algorithm","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"py/insecure-protocol","name":"py/insecure-protocol","shortDescription":{"text":"Use of insecure SSL/TLS version"},"fullDescription":{"text":"Using an insecure SSL/TLS version may leave the connection vulnerable to attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-327"],"description":"Using an insecure SSL/TLS version may leave the connection vulnerable to attacks.","id":"py/insecure-protocol","kind":"problem","name":"Use of insecure SSL/TLS version","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"py/weak-sensitive-data-hashing","name":"py/weak-sensitive-data-hashing","shortDescription":{"text":"Use of a broken or weak cryptographic hashing algorithm on sensitive data"},"fullDescription":{"text":"Using broken or weak cryptographic hashing algorithms can compromise security."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-327","external/cwe/cwe-328","external/cwe/cwe-916"],"description":"Using broken or weak cryptographic hashing algorithms can compromise security.","id":"py/weak-sensitive-data-hashing","kind":"path-problem","name":"Use of a broken or weak cryptographic hashing algorithm on sensitive data","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"py/full-ssrf","name":"py/full-ssrf","shortDescription":{"text":"Full server-side request forgery"},"fullDescription":{"text":"Making a network request to a URL that is fully user-controlled allows for request forgery attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-918"],"description":"Making a network request to a URL that is fully user-controlled allows for request forgery attacks.","id":"py/full-ssrf","kind":"path-problem","name":"Full server-side request forgery","precision":"high","problem.severity":"error","security-severity":"9.1"}},{"id":"py/pam-auth-bypass","name":"py/pam-auth-bypass","shortDescription":{"text":"PAM authorization bypass due to incorrect usage"},"fullDescription":{"text":"Not using `pam_acct_mgmt` after `pam_authenticate` to check the validity of a login can lead to authorization bypass."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-285"],"description":"Not using `pam_acct_mgmt` after `pam_authenticate` to check the validity of a login can lead to authorization bypass.","id":"py/pam-auth-bypass","kind":"path-problem","name":"PAM authorization bypass due to incorrect usage","precision":"high","problem.severity":"warning","security-severity":"8.1"}},{"id":"py/insecure-cookie","name":"py/insecure-cookie","shortDescription":{"text":"Failure to use secure cookies"},"fullDescription":{"text":"Insecure cookies may be sent in cleartext, which makes them vulnerable to interception."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-614","external/cwe/cwe-1004","external/cwe/cwe-1275"],"description":"Insecure cookies may be sent in cleartext, which makes them vulnerable to\n              interception.","id":"py/insecure-cookie","kind":"problem","name":"Failure to use secure cookies","precision":"high","problem.severity":"warning","security-severity":"5.0"}},{"id":"py/sql-injection","name":"py/sql-injection","shortDescription":{"text":"SQL query built from user-controlled sources"},"fullDescription":{"text":"Building a SQL query from user-controlled sources is vulnerable to insertion of malicious SQL code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-089"],"description":"Building a SQL query from user-controlled sources is vulnerable to insertion of\n              malicious SQL code by the user.","id":"py/sql-injection","kind":"path-problem","name":"SQL query built from user-controlled sources","precision":"high","problem.severity":"error","security-severity":"8.8"}},{"id":"py/incomplete-hostname-regexp","name":"py/incomplete-hostname-regexp","shortDescription":{"text":"Incomplete regular expression for hostnames"},"fullDescription":{"text":"Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected.","id":"py/incomplete-hostname-regexp","kind":"problem","name":"Incomplete regular expression for hostnames","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"py/cookie-injection","name":"py/cookie-injection","shortDescription":{"text":"Construction of a cookie using user-supplied input"},"fullDescription":{"text":"Constructing cookies from user input may allow an attacker to perform a Cookie Poisoning attack."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-20"],"description":"Constructing cookies from user input may allow an attacker to perform a Cookie Poisoning attack.","id":"py/cookie-injection","kind":"path-problem","name":"Construction of a cookie using user-supplied input","precision":"high","problem.severity":"warning","security-severity":"5.0"}},{"id":"py/incomplete-url-substring-sanitization","name":"py/incomplete-url-substring-sanitization","shortDescription":{"text":"Incomplete URL substring sanitization"},"fullDescription":{"text":"Security checks on the substrings of an unparsed URL are often vulnerable to bypassing."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-20"],"description":"Security checks on the substrings of an unparsed URL are often vulnerable to bypassing.","id":"py/incomplete-url-substring-sanitization","kind":"problem","name":"Incomplete URL substring sanitization","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"py/overly-large-range","name":"py/overly-large-range","shortDescription":{"text":"Overly permissive regular expression range"},"fullDescription":{"text":"Overly permissive regular expression ranges match a wider range of characters than intended. This may allow an attacker to bypass a filter or sanitizer."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-020"],"description":"Overly permissive regular expression ranges match a wider range of characters than intended.\n              This may allow an attacker to bypass a filter or sanitizer.","id":"py/overly-large-range","kind":"problem","name":"Overly permissive regular expression range","precision":"high","problem.severity":"warning","security-severity":"5.0"}},{"id":"py/flask-debug","name":"py/flask-debug","shortDescription":{"text":"Flask app is run in debug mode"},"fullDescription":{"text":"Running a Flask app in debug mode may allow an attacker to run arbitrary code through the Werkzeug debugger."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-215","external/cwe/cwe-489"],"description":"Running a Flask app in debug mode may allow an attacker to run arbitrary code through the Werkzeug debugger.","id":"py/flask-debug","kind":"problem","name":"Flask app is run in debug mode","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"py/ldap-injection","name":"py/ldap-injection","shortDescription":{"text":"LDAP query built from user-controlled sources"},"fullDescription":{"text":"Building an LDAP query from user-controlled sources is vulnerable to insertion of malicious LDAP code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-090"],"description":"Building an LDAP query from user-controlled sources is vulnerable to insertion of\n              malicious LDAP code by the user.","id":"py/ldap-injection","kind":"path-problem","name":"LDAP query built from user-controlled sources","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"py/bind-socket-all-network-interfaces","name":"py/bind-socket-all-network-interfaces","shortDescription":{"text":"Binding a socket to all network interfaces"},"fullDescription":{"text":"Binding a socket to all interfaces opens it up to traffic from any IPv4 address and is therefore associated with security risks."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-200"],"description":"Binding a socket to all interfaces opens it up to traffic from any IPv4 address\n and is therefore associated with security risks.","id":"py/bind-socket-all-network-interfaces","kind":"problem","name":"Binding a socket to all network interfaces","precision":"high","problem.severity":"error","security-severity":"6.5","sub-severity":"low"}},{"id":"py/paramiko-missing-host-key-validation","name":"py/paramiko-missing-host-key-validation","shortDescription":{"text":"Accepting unknown SSH host keys when using Paramiko"},"fullDescription":{"text":"Accepting unknown host keys can allow man-in-the-middle attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-295"],"description":"Accepting unknown host keys can allow man-in-the-middle attacks.","id":"py/paramiko-missing-host-key-validation","kind":"problem","name":"Accepting unknown SSH host keys when using Paramiko","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"py/insecure-temporary-file","name":"py/insecure-temporary-file","shortDescription":{"text":"Insecure temporary file"},"fullDescription":{"text":"Creating a temporary file using this method may be insecure."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["external/cwe/cwe-377","security"],"description":"Creating a temporary file using this method may be insecure.","id":"py/insecure-temporary-file","kind":"problem","name":"Insecure temporary file","precision":"high","problem.severity":"error","security-severity":"7.0","sub-severity":"high"}},{"id":"py/bad-tag-filter","name":"py/bad-tag-filter","shortDescription":{"text":"Bad HTML filtering regexp"},"fullDescription":{"text":"Matching HTML tags using regular expressions is hard to do right, and can easily lead to security issues."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["correctness","security","external/cwe/cwe-116","external/cwe/cwe-020","external/cwe/cwe-185","external/cwe/cwe-186"],"description":"Matching HTML tags using regular expressions is hard to do right, and can easily lead to security issues.","id":"py/bad-tag-filter","kind":"problem","name":"Bad HTML filtering regexp","precision":"high","problem.severity":"warning","security-severity":"7.8"}},{"id":"py/xml-bomb","name":"py/xml-bomb","shortDescription":{"text":"XML internal entity expansion"},"fullDescription":{"text":"Parsing user input as an XML document with arbitrary internal entity expansion is vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-776","external/cwe/cwe-400"],"description":"Parsing user input as an XML document with arbitrary internal\n              entity expansion is vulnerable to denial-of-service attacks.","id":"py/xml-bomb","kind":"path-problem","name":"XML internal entity expansion","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"py/clear-text-storage-sensitive-data","name":"py/clear-text-storage-sensitive-data","shortDescription":{"text":"Clear-text storage of sensitive information"},"fullDescription":{"text":"Sensitive information stored without encryption or hashing can expose it to an attacker."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-312","external/cwe/cwe-315","external/cwe/cwe-359"],"description":"Sensitive information stored without encryption or hashing can expose it to an\n              attacker.","id":"py/clear-text-storage-sensitive-data","kind":"path-problem","name":"Clear-text storage of sensitive information","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"py/clear-text-logging-sensitive-data","name":"py/clear-text-logging-sensitive-data","shortDescription":{"text":"Clear-text logging of sensitive information"},"fullDescription":{"text":"Logging sensitive information without encryption or hashing can expose it to an attacker."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-312","external/cwe/cwe-359","external/cwe/cwe-532"],"description":"Logging sensitive information without encryption or hashing can\n              expose it to an attacker.","id":"py/clear-text-logging-sensitive-data","kind":"path-problem","name":"Clear-text logging of sensitive information","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"py/csrf-protection-disabled","name":"py/csrf-protection-disabled","shortDescription":{"text":"CSRF protection weakened or disabled"},"fullDescription":{"text":"Disabling or weakening CSRF protection may make the application vulnerable to a Cross-Site Request Forgery (CSRF) attack."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-352"],"description":"Disabling or weakening CSRF protection may make the application\n              vulnerable to a Cross-Site Request Forgery (CSRF) attack.","id":"py/csrf-protection-disabled","kind":"problem","name":"CSRF protection weakened or disabled","precision":"high","problem.severity":"warning","security-severity":"8.8"}},{"id":"py/unsafe-deserialization","name":"py/unsafe-deserialization","shortDescription":{"text":"Deserialization of user-controlled data"},"fullDescription":{"text":"Deserializing user-controlled data may allow attackers to execute arbitrary code."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["external/cwe/cwe-502","security","serialization"],"description":"Deserializing user-controlled data may allow attackers to execute arbitrary code.","id":"py/unsafe-deserialization","kind":"path-problem","name":"Deserialization of user-controlled data","precision":"high","problem.severity":"error","security-severity":"9.8","sub-severity":"high"}},{"id":"py/regex-injection","name":"py/regex-injection","shortDescription":{"text":"Regular expression injection"},"fullDescription":{"text":"User input should not be used in regular expressions without first being escaped, otherwise a malicious user may be able to inject an expression that could require exponential time on certain inputs."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"User input should not be used in regular expressions without first being escaped,\n              otherwise a malicious user may be able to inject an expression that could require\n              exponential time on certain inputs.","id":"py/regex-injection","kind":"path-problem","name":"Regular expression injection","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"py/redos","name":"py/redos","shortDescription":{"text":"Inefficient regular expression"},"fullDescription":{"text":"A regular expression that requires exponential time to match certain inputs can be a performance bottleneck, and may be vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-1333","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"A regular expression that requires exponential time to match certain inputs\n              can be a performance bottleneck, and may be vulnerable to denial-of-service\n              attacks.","id":"py/redos","kind":"problem","name":"Inefficient regular expression","precision":"high","problem.severity":"error","security-severity":"7.5"}},{"id":"py/polynomial-redos","name":"py/polynomial-redos","shortDescription":{"text":"Polynomial regular expression used on uncontrolled data"},"fullDescription":{"text":"A regular expression that can require polynomial time to match may be vulnerable to denial-of-service attacks."},"defaultConfiguration":{"enabled":true,"level":"warning"},"properties":{"tags":["security","external/cwe/cwe-1333","external/cwe/cwe-730","external/cwe/cwe-400"],"description":"A regular expression that can require polynomial time\n              to match may be vulnerable to denial-of-service attacks.","id":"py/polynomial-redos","kind":"path-problem","name":"Polynomial regular expression used on uncontrolled data","precision":"high","problem.severity":"warning","security-severity":"7.5"}},{"id":"py/path-injection","name":"py/path-injection","shortDescription":{"text":"Uncontrolled data used in path expression"},"fullDescription":{"text":"Accessing paths influenced by users can allow an attacker to access unexpected resources."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["correctness","security","external/cwe/cwe-022","external/cwe/cwe-023","external/cwe/cwe-036","external/cwe/cwe-073","external/cwe/cwe-099"],"description":"Accessing paths influenced by users can allow an attacker to access unexpected resources.","id":"py/path-injection","kind":"path-problem","name":"Uncontrolled data used in path expression","precision":"high","problem.severity":"error","security-severity":"7.5","sub-severity":"high"}},{"id":"py/xxe","name":"py/xxe","shortDescription":{"text":"XML external entity expansion"},"fullDescription":{"text":"Parsing user input as an XML document with external entity expansion is vulnerable to XXE attacks."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-611","external/cwe/cwe-827"],"description":"Parsing user input as an XML document with external\n              entity expansion is vulnerable to XXE attacks.","id":"py/xxe","kind":"path-problem","name":"XML external entity expansion","precision":"high","problem.severity":"error","security-severity":"9.1"}},{"id":"py/command-line-injection","name":"py/command-line-injection","shortDescription":{"text":"Uncontrolled command line"},"fullDescription":{"text":"Using externally controlled strings in a command line may allow a malicious user to change the meaning of the command."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["correctness","security","external/cwe/cwe-078","external/cwe/cwe-088"],"description":"Using externally controlled strings in a command line may allow a malicious\n              user to change the meaning of the command.","id":"py/command-line-injection","kind":"path-problem","name":"Uncontrolled command line","precision":"high","problem.severity":"error","security-severity":"9.8","sub-severity":"high"}},{"id":"py/xpath-injection","name":"py/xpath-injection","shortDescription":{"text":"XPath query built from user-controlled sources"},"fullDescription":{"text":"Building a XPath query from user-controlled sources is vulnerable to insertion of malicious Xpath code by the user."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-643"],"description":"Building a XPath query from user-controlled sources is vulnerable to insertion of\n              malicious Xpath code by the user.","id":"py/xpath-injection","kind":"path-problem","name":"XPath query built from user-controlled sources","precision":"high","problem.severity":"error","security-severity":"9.8"}},{"id":"py/reflective-xss","name":"py/reflective-xss","shortDescription":{"text":"Reflected server-side cross-site scripting"},"fullDescription":{"text":"Writing user input directly to a web page allows for a cross-site scripting vulnerability."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","external/cwe/cwe-079","external/cwe/cwe-116"],"description":"Writing user input directly to a web page\n              allows for a cross-site scripting vulnerability.","id":"py/reflective-xss","kind":"path-problem","name":"Reflected server-side cross-site scripting","precision":"high","problem.severity":"error","security-severity":"6.1","sub-severity":"high"}},{"id":"py/use-of-input","name":"py/use-of-input","shortDescription":{"text":"'input' function used in Python 2"},"fullDescription":{"text":"The built-in function 'input' is used which, in Python 2, can allow arbitrary code to be run."},"defaultConfiguration":{"enabled":true,"level":"error"},"properties":{"tags":["security","correctness","security/cwe/cwe-94","security/cwe/cwe-95"],"description":"The built-in function 'input' is used which, in Python 2, can allow arbitrary code to be run.","id":"py/use-of-input","kind":"problem","name":"'input' function used in Python 2","precision":"high","problem.severity":"error","security-severity":"9.8","sub-severity":"high"}},{"id":"py/summary/lines-of-code","name":"py/summary/lines-of-code","shortDescription":{"text":"Total lines of Python code in the database"},"fullDescription":{"text":"The total number of lines of Python code across all files, including external libraries and auto-generated files. This is a useful metric of the size of a database. This query counts the lines of code, excluding whitespace or comments."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","telemetry"],"description":"The total number of lines of Python code across all files, including\n   external libraries and auto-generated files. This is a useful metric of the size of a\n   database. This query counts the lines of code, excluding whitespace or comments.","id":"py/summary/lines-of-code","kind":"metric","name":"Total lines of Python code in the database"}},{"id":"py/summary/lines-of-user-code","name":"py/summary/lines-of-user-code","shortDescription":{"text":"Total lines of user written Python code in the database"},"fullDescription":{"text":"The total number of lines of Python code from the source code directory, excluding auto-generated files. This query counts the lines of code, excluding whitespace or comments. Note: If external libraries are included in the codebase either in a checked-in virtual environment or as vendored code, that will currently be counted as user written code."},"defaultConfiguration":{"enabled":true},"properties":{"tags":["summary","lines-of-code","debug"],"description":"The total number of lines of Python code from the source code directory,\n   excluding auto-generated files. This query counts the lines of code, excluding\n   whitespace or comments. Note: If external libraries are included in the codebase\n   either in a checked-in virtual environment or as vendored code, that will currently\n   be counted as user written code.","id":"py/summary/lines-of-user-code","kind":"metric","name":"Total lines of user written Python code in the database"}}]},"extensions":[{"name":"codeql/python-queries","semanticVersion":"1.2.2+e99d7db428fc3981c9a1f03f03a024ac40e52f54","locations":[{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/python-queries/1.2.2/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/python-queries/1.2.2/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]},{"name":"codeql/python-all","semanticVersion":"2.0.0+e99d7db428fc3981c9a1f03f03a024ac40e52f54","locations":[{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/python-queries/1.2.2/.codeql/libraries/codeql/python-all/2.0.0/","description":{"text":"The QL pack root directory."},"properties":{"tags":["CodeQL/LocalPackRoot"]}},{"uri":"file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/python-queries/1.2.2/.codeql/libraries/codeql/python-all/2.0.0/qlpack.yml","description":{"text":"The QL pack definition file."},"properties":{"tags":["CodeQL/LocalPackDefinitionFile"]}}]}]},"invocations":[{"toolExecutionNotifications":[{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"script.py","uriBaseId":"%SRCROOT%","index":0}}}],"message":{"text":""},"level":"none","descriptor":{"id":"py/diagnostics/successfully-extracted-files","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":".codeql-db/codeql-database.yml","uriBaseId":"%SRCROOT%","index":1}}}],"message":{"text":""},"level":"none","descriptor":{"id":"py/diagnostics/successfully-extracted-files","index":0},"properties":{"formattedMessage":{"text":""}}},{"locations":[{"physicalLocation":{"artifactLocation":{"uri":"script.py","uriBaseId":"%SRCROOT%","index":0}}}],"message":{"text":""},"level":"none","descriptor":{"id":"py/baseline/expected-extracted-files","index":2},"properties":{"formattedMessage":{"text":""}}},{"message":{"text":""},"level":"note","timeUtc":"2025-05-09T08:10:22.071+00:00","descriptor":{"id":"cli/sip-enablement","index":3},"properties":{"attributes":{"isEnabled":true},"visibility":{"statusPage":false,"telemetry":true}}}],"executionSuccessful":true}],"artifacts":[{"location":{"uri":"script.py","uriBaseId":"%SRCROOT%","index":0}},{"location":{"uri":".codeql-db/codeql-database.yml","uriBaseId":"%SRCROOT%","index":1}}],"results":[{"ruleId":"py/bind-socket-all-network-interfaces","ruleIndex":20,"rule":{"id":"py/bind-socket-all-network-interfaces","index":20},"message":{"text":"'0.0.0.0' binds a socket to all interfaces."},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"script.py","uriBaseId":"%SRCROOT%","index":0},"region":{"startLine":6,"endColumn":27}}}],"partialFingerprints":{"primaryLocationLineHash":"5e7a4c3f4c46a812:1","primaryLocationStartColumnFingerprint":"0"}}],"columnKind":"unicodeCodePoints","properties":{"semmle.formatSpecifier":"sarifv2.1.0","metricResults":[{"rule":{"id":"py/summary/lines-of-code","index":38},"ruleId":"py/summary/lines-of-code","ruleIndex":38,"value":121874},{"rule":{"id":"py/summary/lines-of-user-code","index":39},"ruleId":"py/summary/lines-of-user-code","ruleIndex":39,"value":3,"baseline":3}]}}]}
+{
+  "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "CodeQL",
+          "organization": "GitHub",
+          "semanticVersion": "2.19.0",
+          "notifications": [
+            {
+              "id": "py/diagnostics/successfully-extracted-files",
+              "name": "py/diagnostics/successfully-extracted-files",
+              "shortDescription": {
+                "text": "Extracted Python files"
+              },
+              "fullDescription": {
+                "text": "Lists all Python files in the source code directory that were extracted."
+              },
+              "defaultConfiguration": {
+                "enabled": true
+              },
+              "properties": {
+                "tags": [
+                  "successfully-extracted-files"
+                ],
+                "description": "Lists all Python files in the source code directory that were extracted.",
+                "id": "py/diagnostics/successfully-extracted-files",
+                "kind": "diagnostic",
+                "name": "Extracted Python files"
+              }
+            },
+            {
+              "id": "py/diagnostics/extraction-warnings",
+              "name": "py/diagnostics/extraction-warnings",
+              "shortDescription": {
+                "text": "Python extraction warnings"
+              },
+              "fullDescription": {
+                "text": "List all extraction warnings for Python files in the source code directory."
+              },
+              "defaultConfiguration": {
+                "enabled": true
+              },
+              "properties": {
+                "description": "List all extraction warnings for Python files in the source code directory.",
+                "id": "py/diagnostics/extraction-warnings",
+                "kind": "diagnostic",
+                "name": "Python extraction warnings"
+              }
+            },
+            {
+              "id": "py/baseline/expected-extracted-files",
+              "name": "py/baseline/expected-extracted-files",
+              "shortDescription": {
+                "text": "Expected extracted files"
+              },
+              "fullDescription": {
+                "text": "Files appearing in the source archive that are expected to be extracted."
+              },
+              "defaultConfiguration": {
+                "enabled": true
+              },
+              "properties": {
+                "tags": [
+                  "expected-extracted-files",
+                  "telemetry"
+                ]
+              }
+            },
+            {
+              "id": "cli/sip-enablement",
+              "name": "cli/sip-enablement",
+              "shortDescription": {
+                "text": "macOS SIP enablement status"
+              },
+              "fullDescription": {
+                "text": "macOS SIP enablement status"
+              },
+              "defaultConfiguration": {
+                "enabled": true
+              }
+            }
+          ],
+          "rules": [
+            {
+              "id": "py/code-injection",
+              "name": "py/code-injection",
+              "shortDescription": {
+                "text": "Code injection"
+              },
+              "fullDescription": {
+                "text": "Interpreting unsanitized user input as code allows a malicious user to perform arbitrary code execution."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "error"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-094",
+                  "external/cwe/cwe-095",
+                  "external/cwe/cwe-116"
+                ],
+                "description": "Interpreting unsanitized user input as code allows a malicious user to perform arbitrary\n              code execution.",
+                "id": "py/code-injection",
+                "kind": "path-problem",
+                "name": "Code injection",
+                "precision": "high",
+                "problem.severity": "error",
+                "security-severity": "9.3",
+                "sub-severity": "high"
+              }
+            },
+            {
+              "id": "py/stack-trace-exposure",
+              "name": "py/stack-trace-exposure",
+              "shortDescription": {
+                "text": "Information exposure through an exception"
+              },
+              "fullDescription": {
+                "text": "Leaking information about an exception, such as messages and stack traces, to an external user can expose implementation details that are useful to an attacker for developing a subsequent exploit."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "error"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-209",
+                  "external/cwe/cwe-497"
+                ],
+                "description": "Leaking information about an exception, such as messages and stack traces, to an\n              external user can expose implementation details that are useful to an attacker for\n              developing a subsequent exploit.",
+                "id": "py/stack-trace-exposure",
+                "kind": "path-problem",
+                "name": "Information exposure through an exception",
+                "precision": "high",
+                "problem.severity": "error",
+                "security-severity": "5.4"
+              }
+            },
+            {
+              "id": "py/url-redirection",
+              "name": "py/url-redirection",
+              "shortDescription": {
+                "text": "URL redirection from remote source"
+              },
+              "fullDescription": {
+                "text": "URL redirection based on unvalidated user input may cause redirection to malicious web sites."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "error"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-601"
+                ],
+                "description": "URL redirection based on unvalidated user input\n              may cause redirection to malicious web sites.",
+                "id": "py/url-redirection",
+                "kind": "path-problem",
+                "name": "URL redirection from remote source",
+                "precision": "high",
+                "problem.severity": "error",
+                "security-severity": "6.1",
+                "sub-severity": "low"
+              }
+            },
+            {
+              "id": "py/weak-crypto-key",
+              "name": "py/weak-crypto-key",
+              "shortDescription": {
+                "text": "Use of weak cryptographic key"
+              },
+              "fullDescription": {
+                "text": "Use of a cryptographic key that is too small may allow the encryption to be broken."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "error"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-326"
+                ],
+                "description": "Use of a cryptographic key that is too small may allow the encryption to be broken.",
+                "id": "py/weak-crypto-key",
+                "kind": "problem",
+                "name": "Use of weak cryptographic key",
+                "precision": "high",
+                "problem.severity": "error",
+                "security-severity": "7.5"
+              }
+            },
+            {
+              "id": "py/http-response-splitting",
+              "name": "py/http-response-splitting",
+              "shortDescription": {
+                "text": "HTTP Response Splitting"
+              },
+              "fullDescription": {
+                "text": "Writing user input directly to an HTTP header makes code vulnerable to attack by header splitting."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "error"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-113",
+                  "external/cwe/cwe-079"
+                ],
+                "description": "Writing user input directly to an HTTP header\n              makes code vulnerable to attack by header splitting.",
+                "id": "py/http-response-splitting",
+                "kind": "path-problem",
+                "name": "HTTP Response Splitting",
+                "precision": "high",
+                "problem.severity": "error",
+                "security-severity": "6.1"
+              }
+            },
+            {
+              "id": "py/nosql-injection",
+              "name": "py/nosql-injection",
+              "shortDescription": {
+                "text": "NoSQL Injection"
+              },
+              "fullDescription": {
+                "text": "Building a NoSQL query from user-controlled sources is vulnerable to insertion of malicious NoSQL code by the user."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "error"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-943"
+                ],
+                "description": "Building a NoSQL query from user-controlled sources is vulnerable to insertion of\n              malicious NoSQL code by the user.",
+                "id": "py/nosql-injection",
+                "kind": "path-problem",
+                "name": "NoSQL Injection",
+                "precision": "high",
+                "problem.severity": "error",
+                "security-severity": "8.8"
+              }
+            },
+            {
+              "id": "py/insecure-default-protocol",
+              "name": "py/insecure-default-protocol",
+              "shortDescription": {
+                "text": "Default version of SSL/TLS may be insecure"
+              },
+              "fullDescription": {
+                "text": "Leaving the SSL/TLS version unspecified may result in an insecure default protocol being used."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "warning"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-327"
+                ],
+                "description": "Leaving the SSL/TLS version unspecified may result in an insecure\n              default protocol being used.",
+                "id": "py/insecure-default-protocol",
+                "kind": "problem",
+                "name": "Default version of SSL/TLS may be insecure",
+                "precision": "high",
+                "problem.severity": "warning",
+                "security-severity": "7.5"
+              }
+            },
+            {
+              "id": "py/weak-cryptographic-algorithm",
+              "name": "py/weak-cryptographic-algorithm",
+              "shortDescription": {
+                "text": "Use of a broken or weak cryptographic algorithm"
+              },
+              "fullDescription": {
+                "text": "Using broken or weak cryptographic algorithms can compromise security."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "warning"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-327"
+                ],
+                "description": "Using broken or weak cryptographic algorithms can compromise security.",
+                "id": "py/weak-cryptographic-algorithm",
+                "kind": "problem",
+                "name": "Use of a broken or weak cryptographic algorithm",
+                "precision": "high",
+                "problem.severity": "warning",
+                "security-severity": "7.5"
+              }
+            },
+            {
+              "id": "py/insecure-protocol",
+              "name": "py/insecure-protocol",
+              "shortDescription": {
+                "text": "Use of insecure SSL/TLS version"
+              },
+              "fullDescription": {
+                "text": "Using an insecure SSL/TLS version may leave the connection vulnerable to attacks."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "warning"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-327"
+                ],
+                "description": "Using an insecure SSL/TLS version may leave the connection vulnerable to attacks.",
+                "id": "py/insecure-protocol",
+                "kind": "problem",
+                "name": "Use of insecure SSL/TLS version",
+                "precision": "high",
+                "problem.severity": "warning",
+                "security-severity": "7.5"
+              }
+            },
+            {
+              "id": "py/weak-sensitive-data-hashing",
+              "name": "py/weak-sensitive-data-hashing",
+              "shortDescription": {
+                "text": "Use of a broken or weak cryptographic hashing algorithm on sensitive data"
+              },
+              "fullDescription": {
+                "text": "Using broken or weak cryptographic hashing algorithms can compromise security."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "warning"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-327",
+                  "external/cwe/cwe-328",
+                  "external/cwe/cwe-916"
+                ],
+                "description": "Using broken or weak cryptographic hashing algorithms can compromise security.",
+                "id": "py/weak-sensitive-data-hashing",
+                "kind": "path-problem",
+                "name": "Use of a broken or weak cryptographic hashing algorithm on sensitive data",
+                "precision": "high",
+                "problem.severity": "warning",
+                "security-severity": "7.5"
+              }
+            },
+            {
+              "id": "py/full-ssrf",
+              "name": "py/full-ssrf",
+              "shortDescription": {
+                "text": "Full server-side request forgery"
+              },
+              "fullDescription": {
+                "text": "Making a network request to a URL that is fully user-controlled allows for request forgery attacks."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "error"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-918"
+                ],
+                "description": "Making a network request to a URL that is fully user-controlled allows for request forgery attacks.",
+                "id": "py/full-ssrf",
+                "kind": "path-problem",
+                "name": "Full server-side request forgery",
+                "precision": "high",
+                "problem.severity": "error",
+                "security-severity": "9.1"
+              }
+            },
+            {
+              "id": "py/pam-auth-bypass",
+              "name": "py/pam-auth-bypass",
+              "shortDescription": {
+                "text": "PAM authorization bypass due to incorrect usage"
+              },
+              "fullDescription": {
+                "text": "Not using `pam_acct_mgmt` after `pam_authenticate` to check the validity of a login can lead to authorization bypass."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "warning"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-285"
+                ],
+                "description": "Not using `pam_acct_mgmt` after `pam_authenticate` to check the validity of a login can lead to authorization bypass.",
+                "id": "py/pam-auth-bypass",
+                "kind": "path-problem",
+                "name": "PAM authorization bypass due to incorrect usage",
+                "precision": "high",
+                "problem.severity": "warning",
+                "security-severity": "8.1"
+              }
+            },
+            {
+              "id": "py/insecure-cookie",
+              "name": "py/insecure-cookie",
+              "shortDescription": {
+                "text": "Failure to use secure cookies"
+              },
+              "fullDescription": {
+                "text": "Insecure cookies may be sent in cleartext, which makes them vulnerable to interception."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "warning"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-614",
+                  "external/cwe/cwe-1004",
+                  "external/cwe/cwe-1275"
+                ],
+                "description": "Insecure cookies may be sent in cleartext, which makes them vulnerable to\n              interception.",
+                "id": "py/insecure-cookie",
+                "kind": "problem",
+                "name": "Failure to use secure cookies",
+                "precision": "high",
+                "problem.severity": "warning",
+                "security-severity": "5.0"
+              }
+            },
+            {
+              "id": "py/sql-injection",
+              "name": "py/sql-injection",
+              "shortDescription": {
+                "text": "SQL query built from user-controlled sources"
+              },
+              "fullDescription": {
+                "text": "Building a SQL query from user-controlled sources is vulnerable to insertion of malicious SQL code by the user."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "error"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-089"
+                ],
+                "description": "Building a SQL query from user-controlled sources is vulnerable to insertion of\n              malicious SQL code by the user.",
+                "id": "py/sql-injection",
+                "kind": "path-problem",
+                "name": "SQL query built from user-controlled sources",
+                "precision": "high",
+                "problem.severity": "error",
+                "security-severity": "8.8"
+              }
+            },
+            {
+              "id": "py/incomplete-hostname-regexp",
+              "name": "py/incomplete-hostname-regexp",
+              "shortDescription": {
+                "text": "Incomplete regular expression for hostnames"
+              },
+              "fullDescription": {
+                "text": "Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "warning"
+              },
+              "properties": {
+                "tags": [
+                  "correctness",
+                  "security",
+                  "external/cwe/cwe-020"
+                ],
+                "description": "Matching a URL or hostname against a regular expression that contains an unescaped dot as part of the hostname might match more hostnames than expected.",
+                "id": "py/incomplete-hostname-regexp",
+                "kind": "problem",
+                "name": "Incomplete regular expression for hostnames",
+                "precision": "high",
+                "problem.severity": "warning",
+                "security-severity": "7.8"
+              }
+            },
+            {
+              "id": "py/cookie-injection",
+              "name": "py/cookie-injection",
+              "shortDescription": {
+                "text": "Construction of a cookie using user-supplied input"
+              },
+              "fullDescription": {
+                "text": "Constructing cookies from user input may allow an attacker to perform a Cookie Poisoning attack."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "warning"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-20"
+                ],
+                "description": "Constructing cookies from user input may allow an attacker to perform a Cookie Poisoning attack.",
+                "id": "py/cookie-injection",
+                "kind": "path-problem",
+                "name": "Construction of a cookie using user-supplied input",
+                "precision": "high",
+                "problem.severity": "warning",
+                "security-severity": "5.0"
+              }
+            },
+            {
+              "id": "py/incomplete-url-substring-sanitization",
+              "name": "py/incomplete-url-substring-sanitization",
+              "shortDescription": {
+                "text": "Incomplete URL substring sanitization"
+              },
+              "fullDescription": {
+                "text": "Security checks on the substrings of an unparsed URL are often vulnerable to bypassing."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "warning"
+              },
+              "properties": {
+                "tags": [
+                  "correctness",
+                  "security",
+                  "external/cwe/cwe-20"
+                ],
+                "description": "Security checks on the substrings of an unparsed URL are often vulnerable to bypassing.",
+                "id": "py/incomplete-url-substring-sanitization",
+                "kind": "problem",
+                "name": "Incomplete URL substring sanitization",
+                "precision": "high",
+                "problem.severity": "warning",
+                "security-severity": "7.8"
+              }
+            },
+            {
+              "id": "py/overly-large-range",
+              "name": "py/overly-large-range",
+              "shortDescription": {
+                "text": "Overly permissive regular expression range"
+              },
+              "fullDescription": {
+                "text": "Overly permissive regular expression ranges match a wider range of characters than intended. This may allow an attacker to bypass a filter or sanitizer."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "warning"
+              },
+              "properties": {
+                "tags": [
+                  "correctness",
+                  "security",
+                  "external/cwe/cwe-020"
+                ],
+                "description": "Overly permissive regular expression ranges match a wider range of characters than intended.\n              This may allow an attacker to bypass a filter or sanitizer.",
+                "id": "py/overly-large-range",
+                "kind": "problem",
+                "name": "Overly permissive regular expression range",
+                "precision": "high",
+                "problem.severity": "warning",
+                "security-severity": "5.0"
+              }
+            },
+            {
+              "id": "py/flask-debug",
+              "name": "py/flask-debug",
+              "shortDescription": {
+                "text": "Flask app is run in debug mode"
+              },
+              "fullDescription": {
+                "text": "Running a Flask app in debug mode may allow an attacker to run arbitrary code through the Werkzeug debugger."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "error"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-215",
+                  "external/cwe/cwe-489"
+                ],
+                "description": "Running a Flask app in debug mode may allow an attacker to run arbitrary code through the Werkzeug debugger.",
+                "id": "py/flask-debug",
+                "kind": "problem",
+                "name": "Flask app is run in debug mode",
+                "precision": "high",
+                "problem.severity": "error",
+                "security-severity": "7.5"
+              }
+            },
+            {
+              "id": "py/ldap-injection",
+              "name": "py/ldap-injection",
+              "shortDescription": {
+                "text": "LDAP query built from user-controlled sources"
+              },
+              "fullDescription": {
+                "text": "Building an LDAP query from user-controlled sources is vulnerable to insertion of malicious LDAP code by the user."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "error"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-090"
+                ],
+                "description": "Building an LDAP query from user-controlled sources is vulnerable to insertion of\n              malicious LDAP code by the user.",
+                "id": "py/ldap-injection",
+                "kind": "path-problem",
+                "name": "LDAP query built from user-controlled sources",
+                "precision": "high",
+                "problem.severity": "error",
+                "security-severity": "9.8"
+              }
+            },
+            {
+              "id": "py/bind-socket-all-network-interfaces",
+              "name": "py/bind-socket-all-network-interfaces",
+              "shortDescription": {
+                "text": "Binding a socket to all network interfaces"
+              },
+              "fullDescription": {
+                "text": "Binding a socket to all interfaces opens it up to traffic from any IPv4 address and is therefore associated with security risks."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "error"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-200"
+                ],
+                "description": "Binding a socket to all interfaces opens it up to traffic from any IPv4 address\n and is therefore associated with security risks.",
+                "id": "py/bind-socket-all-network-interfaces",
+                "kind": "problem",
+                "name": "Binding a socket to all network interfaces",
+                "precision": "high",
+                "problem.severity": "error",
+                "security-severity": "6.5",
+                "sub-severity": "low"
+              }
+            },
+            {
+              "id": "py/paramiko-missing-host-key-validation",
+              "name": "py/paramiko-missing-host-key-validation",
+              "shortDescription": {
+                "text": "Accepting unknown SSH host keys when using Paramiko"
+              },
+              "fullDescription": {
+                "text": "Accepting unknown host keys can allow man-in-the-middle attacks."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "error"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-295"
+                ],
+                "description": "Accepting unknown host keys can allow man-in-the-middle attacks.",
+                "id": "py/paramiko-missing-host-key-validation",
+                "kind": "problem",
+                "name": "Accepting unknown SSH host keys when using Paramiko",
+                "precision": "high",
+                "problem.severity": "error",
+                "security-severity": "7.5"
+              }
+            },
+            {
+              "id": "py/insecure-temporary-file",
+              "name": "py/insecure-temporary-file",
+              "shortDescription": {
+                "text": "Insecure temporary file"
+              },
+              "fullDescription": {
+                "text": "Creating a temporary file using this method may be insecure."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "error"
+              },
+              "properties": {
+                "tags": [
+                  "external/cwe/cwe-377",
+                  "security"
+                ],
+                "description": "Creating a temporary file using this method may be insecure.",
+                "id": "py/insecure-temporary-file",
+                "kind": "problem",
+                "name": "Insecure temporary file",
+                "precision": "high",
+                "problem.severity": "error",
+                "security-severity": "7.0",
+                "sub-severity": "high"
+              }
+            },
+            {
+              "id": "py/bad-tag-filter",
+              "name": "py/bad-tag-filter",
+              "shortDescription": {
+                "text": "Bad HTML filtering regexp"
+              },
+              "fullDescription": {
+                "text": "Matching HTML tags using regular expressions is hard to do right, and can easily lead to security issues."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "warning"
+              },
+              "properties": {
+                "tags": [
+                  "correctness",
+                  "security",
+                  "external/cwe/cwe-116",
+                  "external/cwe/cwe-020",
+                  "external/cwe/cwe-185",
+                  "external/cwe/cwe-186"
+                ],
+                "description": "Matching HTML tags using regular expressions is hard to do right, and can easily lead to security issues.",
+                "id": "py/bad-tag-filter",
+                "kind": "problem",
+                "name": "Bad HTML filtering regexp",
+                "precision": "high",
+                "problem.severity": "warning",
+                "security-severity": "7.8"
+              }
+            },
+            {
+              "id": "py/xml-bomb",
+              "name": "py/xml-bomb",
+              "shortDescription": {
+                "text": "XML internal entity expansion"
+              },
+              "fullDescription": {
+                "text": "Parsing user input as an XML document with arbitrary internal entity expansion is vulnerable to denial-of-service attacks."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "warning"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-776",
+                  "external/cwe/cwe-400"
+                ],
+                "description": "Parsing user input as an XML document with arbitrary internal\n              entity expansion is vulnerable to denial-of-service attacks.",
+                "id": "py/xml-bomb",
+                "kind": "path-problem",
+                "name": "XML internal entity expansion",
+                "precision": "high",
+                "problem.severity": "warning",
+                "security-severity": "7.5"
+              }
+            },
+            {
+              "id": "py/clear-text-storage-sensitive-data",
+              "name": "py/clear-text-storage-sensitive-data",
+              "shortDescription": {
+                "text": "Clear-text storage of sensitive information"
+              },
+              "fullDescription": {
+                "text": "Sensitive information stored without encryption or hashing can expose it to an attacker."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "error"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-312",
+                  "external/cwe/cwe-315",
+                  "external/cwe/cwe-359"
+                ],
+                "description": "Sensitive information stored without encryption or hashing can expose it to an\n              attacker.",
+                "id": "py/clear-text-storage-sensitive-data",
+                "kind": "path-problem",
+                "name": "Clear-text storage of sensitive information",
+                "precision": "high",
+                "problem.severity": "error",
+                "security-severity": "7.5"
+              }
+            },
+            {
+              "id": "py/clear-text-logging-sensitive-data",
+              "name": "py/clear-text-logging-sensitive-data",
+              "shortDescription": {
+                "text": "Clear-text logging of sensitive information"
+              },
+              "fullDescription": {
+                "text": "Logging sensitive information without encryption or hashing can expose it to an attacker."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "error"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-312",
+                  "external/cwe/cwe-359",
+                  "external/cwe/cwe-532"
+                ],
+                "description": "Logging sensitive information without encryption or hashing can\n              expose it to an attacker.",
+                "id": "py/clear-text-logging-sensitive-data",
+                "kind": "path-problem",
+                "name": "Clear-text logging of sensitive information",
+                "precision": "high",
+                "problem.severity": "error",
+                "security-severity": "7.5"
+              }
+            },
+            {
+              "id": "py/csrf-protection-disabled",
+              "name": "py/csrf-protection-disabled",
+              "shortDescription": {
+                "text": "CSRF protection weakened or disabled"
+              },
+              "fullDescription": {
+                "text": "Disabling or weakening CSRF protection may make the application vulnerable to a Cross-Site Request Forgery (CSRF) attack."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "warning"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-352"
+                ],
+                "description": "Disabling or weakening CSRF protection may make the application\n              vulnerable to a Cross-Site Request Forgery (CSRF) attack.",
+                "id": "py/csrf-protection-disabled",
+                "kind": "problem",
+                "name": "CSRF protection weakened or disabled",
+                "precision": "high",
+                "problem.severity": "warning",
+                "security-severity": "8.8"
+              }
+            },
+            {
+              "id": "py/unsafe-deserialization",
+              "name": "py/unsafe-deserialization",
+              "shortDescription": {
+                "text": "Deserialization of user-controlled data"
+              },
+              "fullDescription": {
+                "text": "Deserializing user-controlled data may allow attackers to execute arbitrary code."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "error"
+              },
+              "properties": {
+                "tags": [
+                  "external/cwe/cwe-502",
+                  "security",
+                  "serialization"
+                ],
+                "description": "Deserializing user-controlled data may allow attackers to execute arbitrary code.",
+                "id": "py/unsafe-deserialization",
+                "kind": "path-problem",
+                "name": "Deserialization of user-controlled data",
+                "precision": "high",
+                "problem.severity": "error",
+                "security-severity": "9.8",
+                "sub-severity": "high"
+              }
+            },
+            {
+              "id": "py/regex-injection",
+              "name": "py/regex-injection",
+              "shortDescription": {
+                "text": "Regular expression injection"
+              },
+              "fullDescription": {
+                "text": "User input should not be used in regular expressions without first being escaped, otherwise a malicious user may be able to inject an expression that could require exponential time on certain inputs."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "error"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-730",
+                  "external/cwe/cwe-400"
+                ],
+                "description": "User input should not be used in regular expressions without first being escaped,\n              otherwise a malicious user may be able to inject an expression that could require\n              exponential time on certain inputs.",
+                "id": "py/regex-injection",
+                "kind": "path-problem",
+                "name": "Regular expression injection",
+                "precision": "high",
+                "problem.severity": "error",
+                "security-severity": "7.5"
+              }
+            },
+            {
+              "id": "py/redos",
+              "name": "py/redos",
+              "shortDescription": {
+                "text": "Inefficient regular expression"
+              },
+              "fullDescription": {
+                "text": "A regular expression that requires exponential time to match certain inputs can be a performance bottleneck, and may be vulnerable to denial-of-service attacks."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "error"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-1333",
+                  "external/cwe/cwe-730",
+                  "external/cwe/cwe-400"
+                ],
+                "description": "A regular expression that requires exponential time to match certain inputs\n              can be a performance bottleneck, and may be vulnerable to denial-of-service\n              attacks.",
+                "id": "py/redos",
+                "kind": "problem",
+                "name": "Inefficient regular expression",
+                "precision": "high",
+                "problem.severity": "error",
+                "security-severity": "7.5"
+              }
+            },
+            {
+              "id": "py/polynomial-redos",
+              "name": "py/polynomial-redos",
+              "shortDescription": {
+                "text": "Polynomial regular expression used on uncontrolled data"
+              },
+              "fullDescription": {
+                "text": "A regular expression that can require polynomial time to match may be vulnerable to denial-of-service attacks."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "warning"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-1333",
+                  "external/cwe/cwe-730",
+                  "external/cwe/cwe-400"
+                ],
+                "description": "A regular expression that can require polynomial time\n              to match may be vulnerable to denial-of-service attacks.",
+                "id": "py/polynomial-redos",
+                "kind": "path-problem",
+                "name": "Polynomial regular expression used on uncontrolled data",
+                "precision": "high",
+                "problem.severity": "warning",
+                "security-severity": "7.5"
+              }
+            },
+            {
+              "id": "py/path-injection",
+              "name": "py/path-injection",
+              "shortDescription": {
+                "text": "Uncontrolled data used in path expression"
+              },
+              "fullDescription": {
+                "text": "Accessing paths influenced by users can allow an attacker to access unexpected resources."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "error"
+              },
+              "properties": {
+                "tags": [
+                  "correctness",
+                  "security",
+                  "external/cwe/cwe-022",
+                  "external/cwe/cwe-023",
+                  "external/cwe/cwe-036",
+                  "external/cwe/cwe-073",
+                  "external/cwe/cwe-099"
+                ],
+                "description": "Accessing paths influenced by users can allow an attacker to access unexpected resources.",
+                "id": "py/path-injection",
+                "kind": "path-problem",
+                "name": "Uncontrolled data used in path expression",
+                "precision": "high",
+                "problem.severity": "error",
+                "security-severity": "7.5",
+                "sub-severity": "high"
+              }
+            },
+            {
+              "id": "py/xxe",
+              "name": "py/xxe",
+              "shortDescription": {
+                "text": "XML external entity expansion"
+              },
+              "fullDescription": {
+                "text": "Parsing user input as an XML document with external entity expansion is vulnerable to XXE attacks."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "error"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-611",
+                  "external/cwe/cwe-827"
+                ],
+                "description": "Parsing user input as an XML document with external\n              entity expansion is vulnerable to XXE attacks.",
+                "id": "py/xxe",
+                "kind": "path-problem",
+                "name": "XML external entity expansion",
+                "precision": "high",
+                "problem.severity": "error",
+                "security-severity": "9.1"
+              }
+            },
+            {
+              "id": "py/command-line-injection",
+              "name": "py/command-line-injection",
+              "shortDescription": {
+                "text": "Uncontrolled command line"
+              },
+              "fullDescription": {
+                "text": "Using externally controlled strings in a command line may allow a malicious user to change the meaning of the command."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "error"
+              },
+              "properties": {
+                "tags": [
+                  "correctness",
+                  "security",
+                  "external/cwe/cwe-078",
+                  "external/cwe/cwe-088"
+                ],
+                "description": "Using externally controlled strings in a command line may allow a malicious\n              user to change the meaning of the command.",
+                "id": "py/command-line-injection",
+                "kind": "path-problem",
+                "name": "Uncontrolled command line",
+                "precision": "high",
+                "problem.severity": "error",
+                "security-severity": "9.8",
+                "sub-severity": "high"
+              }
+            },
+            {
+              "id": "py/xpath-injection",
+              "name": "py/xpath-injection",
+              "shortDescription": {
+                "text": "XPath query built from user-controlled sources"
+              },
+              "fullDescription": {
+                "text": "Building a XPath query from user-controlled sources is vulnerable to insertion of malicious Xpath code by the user."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "error"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-643"
+                ],
+                "description": "Building a XPath query from user-controlled sources is vulnerable to insertion of\n              malicious Xpath code by the user.",
+                "id": "py/xpath-injection",
+                "kind": "path-problem",
+                "name": "XPath query built from user-controlled sources",
+                "precision": "high",
+                "problem.severity": "error",
+                "security-severity": "9.8"
+              }
+            },
+            {
+              "id": "py/reflective-xss",
+              "name": "py/reflective-xss",
+              "shortDescription": {
+                "text": "Reflected server-side cross-site scripting"
+              },
+              "fullDescription": {
+                "text": "Writing user input directly to a web page allows for a cross-site scripting vulnerability."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "error"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "external/cwe/cwe-079",
+                  "external/cwe/cwe-116"
+                ],
+                "description": "Writing user input directly to a web page\n              allows for a cross-site scripting vulnerability.",
+                "id": "py/reflective-xss",
+                "kind": "path-problem",
+                "name": "Reflected server-side cross-site scripting",
+                "precision": "high",
+                "problem.severity": "error",
+                "security-severity": "6.1",
+                "sub-severity": "high"
+              }
+            },
+            {
+              "id": "py/use-of-input",
+              "name": "py/use-of-input",
+              "shortDescription": {
+                "text": "'input' function used in Python 2"
+              },
+              "fullDescription": {
+                "text": "The built-in function 'input' is used which, in Python 2, can allow arbitrary code to be run."
+              },
+              "defaultConfiguration": {
+                "enabled": true,
+                "level": "error"
+              },
+              "properties": {
+                "tags": [
+                  "security",
+                  "correctness",
+                  "security/cwe/cwe-94",
+                  "security/cwe/cwe-95"
+                ],
+                "description": "The built-in function 'input' is used which, in Python 2, can allow arbitrary code to be run.",
+                "id": "py/use-of-input",
+                "kind": "problem",
+                "name": "'input' function used in Python 2",
+                "precision": "high",
+                "problem.severity": "error",
+                "security-severity": "9.8",
+                "sub-severity": "high"
+              }
+            },
+            {
+              "id": "py/summary/lines-of-code",
+              "name": "py/summary/lines-of-code",
+              "shortDescription": {
+                "text": "Total lines of Python code in the database"
+              },
+              "fullDescription": {
+                "text": "The total number of lines of Python code across all files, including external libraries and auto-generated files. This is a useful metric of the size of a database. This query counts the lines of code, excluding whitespace or comments."
+              },
+              "defaultConfiguration": {
+                "enabled": true
+              },
+              "properties": {
+                "tags": [
+                  "summary",
+                  "telemetry"
+                ],
+                "description": "The total number of lines of Python code across all files, including\n   external libraries and auto-generated files. This is a useful metric of the size of a\n   database. This query counts the lines of code, excluding whitespace or comments.",
+                "id": "py/summary/lines-of-code",
+                "kind": "metric",
+                "name": "Total lines of Python code in the database"
+              }
+            },
+            {
+              "id": "py/summary/lines-of-user-code",
+              "name": "py/summary/lines-of-user-code",
+              "shortDescription": {
+                "text": "Total lines of user written Python code in the database"
+              },
+              "fullDescription": {
+                "text": "The total number of lines of Python code from the source code directory, excluding auto-generated files. This query counts the lines of code, excluding whitespace or comments. Note: If external libraries are included in the codebase either in a checked-in virtual environment or as vendored code, that will currently be counted as user written code."
+              },
+              "defaultConfiguration": {
+                "enabled": true
+              },
+              "properties": {
+                "tags": [
+                  "summary",
+                  "lines-of-code",
+                  "debug"
+                ],
+                "description": "The total number of lines of Python code from the source code directory,\n   excluding auto-generated files. This query counts the lines of code, excluding\n   whitespace or comments. Note: If external libraries are included in the codebase\n   either in a checked-in virtual environment or as vendored code, that will currently\n   be counted as user written code.",
+                "id": "py/summary/lines-of-user-code",
+                "kind": "metric",
+                "name": "Total lines of user written Python code in the database"
+              }
+            }
+          ]
+        },
+        "extensions": [
+          {
+            "name": "codeql/python-queries",
+            "semanticVersion": "1.2.2+e99d7db428fc3981c9a1f03f03a024ac40e52f54",
+            "locations": [
+              {
+                "uri": "file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/python-queries/1.2.2/",
+                "description": {
+                  "text": "The QL pack root directory."
+                },
+                "properties": {
+                  "tags": [
+                    "CodeQL/LocalPackRoot"
+                  ]
+                }
+              },
+              {
+                "uri": "file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/python-queries/1.2.2/qlpack.yml",
+                "description": {
+                  "text": "The QL pack definition file."
+                },
+                "properties": {
+                  "tags": [
+                    "CodeQL/LocalPackDefinitionFile"
+                  ]
+                }
+              }
+            ]
+          },
+          {
+            "name": "codeql/python-all",
+            "semanticVersion": "2.0.0+e99d7db428fc3981c9a1f03f03a024ac40e52f54",
+            "locations": [
+              {
+                "uri": "file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/python-queries/1.2.2/.codeql/libraries/codeql/python-all/2.0.0/",
+                "description": {
+                  "text": "The QL pack root directory."
+                },
+                "properties": {
+                  "tags": [
+                    "CodeQL/LocalPackRoot"
+                  ]
+                }
+              },
+              {
+                "uri": "file:///Users/john.doe/.local/bin/codeql/qlpacks/codeql/python-queries/1.2.2/.codeql/libraries/codeql/python-all/2.0.0/qlpack.yml",
+                "description": {
+                  "text": "The QL pack definition file."
+                },
+                "properties": {
+                  "tags": [
+                    "CodeQL/LocalPackDefinitionFile"
+                  ]
+                }
+              }
+            ]
+          }
+        ]
+      },
+      "invocations": [
+        {
+          "toolExecutionNotifications": [
+            {
+              "locations": [
+                {
+                  "physicalLocation": {
+                    "artifactLocation": {
+                      "uri": "script.py",
+                      "uriBaseId": "%SRCROOT%",
+                      "index": 0
+                    }
+                  }
+                }
+              ],
+              "message": {
+                "text": ""
+              },
+              "level": "none",
+              "descriptor": {
+                "id": "py/diagnostics/successfully-extracted-files",
+                "index": 0
+              },
+              "properties": {
+                "formattedMessage": {
+                  "text": ""
+                }
+              }
+            },
+            {
+              "locations": [
+                {
+                  "physicalLocation": {
+                    "artifactLocation": {
+                      "uri": ".codeql-db/codeql-database.yml",
+                      "uriBaseId": "%SRCROOT%",
+                      "index": 1
+                    }
+                  }
+                }
+              ],
+              "message": {
+                "text": ""
+              },
+              "level": "none",
+              "descriptor": {
+                "id": "py/diagnostics/successfully-extracted-files",
+                "index": 0
+              },
+              "properties": {
+                "formattedMessage": {
+                  "text": ""
+                }
+              }
+            },
+            {
+              "locations": [
+                {
+                  "physicalLocation": {
+                    "artifactLocation": {
+                      "uri": "script.py",
+                      "uriBaseId": "%SRCROOT%",
+                      "index": 0
+                    }
+                  }
+                }
+              ],
+              "message": {
+                "text": ""
+              },
+              "level": "none",
+              "descriptor": {
+                "id": "py/baseline/expected-extracted-files",
+                "index": 2
+              },
+              "properties": {
+                "formattedMessage": {
+                  "text": ""
+                }
+              }
+            },
+            {
+              "message": {
+                "text": ""
+              },
+              "level": "note",
+              "timeUtc": "2025-05-09T08:10:22.071+00:00",
+              "descriptor": {
+                "id": "cli/sip-enablement",
+                "index": 3
+              },
+              "properties": {
+                "attributes": {
+                  "isEnabled": true
+                },
+                "visibility": {
+                  "statusPage": false,
+                  "telemetry": true
+                }
+              }
+            }
+          ],
+          "executionSuccessful": true
+        }
+      ],
+      "artifacts": [
+        {
+          "location": {
+            "uri": "script.py",
+            "uriBaseId": "%SRCROOT%",
+            "index": 0
+          }
+        },
+        {
+          "location": {
+            "uri": ".codeql-db/codeql-database.yml",
+            "uriBaseId": "%SRCROOT%",
+            "index": 1
+          }
+        }
+      ],
+      "results": [
+        {
+          "ruleId": "py/bind-socket-all-network-interfaces",
+          "ruleIndex": 20,
+          "rule": {
+            "id": "py/bind-socket-all-network-interfaces",
+            "index": 20
+          },
+          "message": {
+            "text": "'0.0.0.0' binds a socket to all interfaces."
+          },
+          "locations": [
+            {
+              "physicalLocation": {
+                "artifactLocation": {
+                  "uri": "script.py",
+                  "uriBaseId": "%SRCROOT%",
+                  "index": 0
+                },
+                "region": {
+                  "startLine": 6,
+                  "endColumn": 27
+                }
+              }
+            }
+          ],
+          "partialFingerprints": {
+            "primaryLocationLineHash": "5e7a4c3f4c46a812:1",
+            "primaryLocationStartColumnFingerprint": "0"
+          }
+        }
+      ],
+      "columnKind": "unicodeCodePoints",
+      "properties": {
+        "semmle.formatSpecifier": "sarifv2.1.0",
+        "metricResults": [
+          {
+            "rule": {
+              "id": "py/summary/lines-of-code",
+              "index": 38
+            },
+            "ruleId": "py/summary/lines-of-code",
+            "ruleIndex": 38,
+            "value": 121874
+          },
+          {
+            "rule": {
+              "id": "py/summary/lines-of-user-code",
+              "index": 39
+            },
+            "ruleId": "py/summary/lines-of-user-code",
+            "ruleIndex": 39,
+            "value": 3,
+            "baseline": 3
+          }
+        ]
+      }
+    }
+  ]
+}