gitsafehub
github.com/analysis-tools-dev/static-analysis ↗

analysis-tools-dev/static-analysis

scanned 2026-06-27 · git 66668c6
2 of 6 checks flagged a security issue
🟡 Worth a look
6 checks ran. Start with known oss vulnerabilities below.

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies10Known OSS vulnerabilities29Risky code patternsMalicious dependenciesProject health4

Security checks

Leaked secrets — Gitleaks none found ✓

API keys, passwords or tokens committed into the repo.

Nothing found by this check. ✓

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy 10 found

Packages you depend on that have known security holes (CVEs).

  • Worth fixing CVE-2024-12224 idna: idna accepts Punycode labels that do not produce any non-ASCII when decoded
    ci/Cargo.lock
    A package you depend on has a known security hole (CVE-2024-12224). Fix: Update that package to its patched version.
  • Worth fixing GHSA-82j2-j2ch-gfr8 rustls-webpki: Denial of service via panic on malformed CRL BIT STRING
    ci/Cargo.lock
    A package you depend on has a known security hole (GHSA-82j2-j2ch-gfr8). Fix: Update that package to its patched version.
  • Worth fixing GHSA-pwjx-qhcg-rvj4 webpki: CRLs not considered authoritative by Distribution Point due to faulty matching logic
    ci/Cargo.lock
    A package you depend on has a known security hole (GHSA-pwjx-qhcg-rvj4). Fix: Update that package to its patched version.
  • Worth fixing GHSA-82j2-j2ch-gfr8 rustls-webpki: Denial of service via panic on malformed CRL BIT STRING
    ci/pr-check/Cargo.lock
    A package you depend on has a known security hole (GHSA-82j2-j2ch-gfr8). Fix: Update that package to its patched version.
  • Worth fixing GHSA-pwjx-qhcg-rvj4 webpki: CRLs not considered authoritative by Distribution Point due to faulty matching logic
    ci/pr-check/Cargo.lock
    A package you depend on has a known security hole (GHSA-pwjx-qhcg-rvj4). Fix: Update that package to its patched version.
  • Minor GHSA-965h-392x-2mh5 webpki: Name constraints for URI names were incorrectly accepted
    ci/Cargo.lock
    A package you depend on has a known security hole (GHSA-965h-392x-2mh5). Fix: Update that package to its patched version.
  • Minor GHSA-xgp8-3hg3-c2mh webpki: Name constraints were accepted for certificates asserting a wildcard name
    ci/Cargo.lock
    A package you depend on has a known security hole (GHSA-xgp8-3hg3-c2mh). Fix: Update that package to its patched version.
  • Minor GHSA-cq8v-f236-94qc Rand is unsound with a custom logger using rand::rng()
    ci/pr-check/Cargo.lock
    A package you depend on has a known security hole (GHSA-cq8v-f236-94qc). Fix: Update that package to its patched version.
  • Minor GHSA-965h-392x-2mh5 webpki: Name constraints for URI names were incorrectly accepted
    ci/pr-check/Cargo.lock
    A package you depend on has a known security hole (GHSA-965h-392x-2mh5). Fix: Update that package to its patched version.
  • Minor GHSA-xgp8-3hg3-c2mh webpki: Name constraints were accepted for certificates asserting a wildcard name
    ci/pr-check/Cargo.lock
    A package you depend on has a known security hole (GHSA-xgp8-3hg3-c2mh). Fix: Update that package to its patched version.

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 29 found

Your dependencies cross-checked against the OSV vulnerability database.

  • Worth fixing RUSTSEC-2024-0421 `idna` accepts Punycode labels that do not produce any non-ASCII when decoded
    /workdirs/scan-9f2d62f4-c439-4007-98c2-d468ba581f0c/ci/Cargo.lock
    A package you depend on has a known security hole (CVE-2024-12224). Fix: Update that package to its patched version.
  • Worth fixing GHSA-h395-gr6q-cpjc jsonwebtoken has Type Confusion that leads to potential authorization bypass
    /workdirs/scan-9f2d62f4-c439-4007-98c2-d468ba581f0c/ci/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-25537). Fix: Update that package to its patched version.
  • Worth fixing RUSTSEC-2025-0009 Some AES functions may panic when overflow checking is enabled.
    /workdirs/scan-9f2d62f4-c439-4007-98c2-d468ba581f0c/ci/Cargo.lock
    A package you depend on has a known security hole (CVE-2025-4432). Fix: Update that package to its patched version.
  • Worth fixing RUSTSEC-2026-0049 CRLs not considered authoritative by Distribution Point due to faulty matching logic
    /workdirs/scan-9f2d62f4-c439-4007-98c2-d468ba581f0c/ci/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing RUSTSEC-2026-0104 Reachable panic in certificate revocation list parsing
    /workdirs/scan-9f2d62f4-c439-4007-98c2-d468ba581f0c/ci/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing RUSTSEC-2026-0185 Remote memory exhaustion in quinn-proto from unbounded out-of-order stream reassembly
    /workdirs/scan-9f2d62f4-c439-4007-98c2-d468ba581f0c/ci/pr-check/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing RUSTSEC-2026-0049 CRLs not considered authoritative by Distribution Point due to faulty matching logic
    /workdirs/scan-9f2d62f4-c439-4007-98c2-d468ba581f0c/ci/pr-check/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing RUSTSEC-2026-0104 Reachable panic in certificate revocation list parsing
    /workdirs/scan-9f2d62f4-c439-4007-98c2-d468ba581f0c/ci/pr-check/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing RUSTSEC-2024-0421 `idna` accepts Punycode labels that do not produce any non-ASCII when decoded
    /workdirs/scan-9f2d62f4-c439-4007-98c2-d468ba581f0c/ci/render/Cargo.lock
    A package you depend on has a known security hole (CVE-2024-12224). Fix: Update that package to its patched version.
  • Worth fixing GHSA-h395-gr6q-cpjc jsonwebtoken has Type Confusion that leads to potential authorization bypass
    /workdirs/scan-9f2d62f4-c439-4007-98c2-d468ba581f0c/ci/render/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-25537). Fix: Update that package to its patched version.
  • Worth fixing GHSA-8c75-8mhr-p7r9 rust-openssl has incorrect bounds assertion in aes key wrap
    /workdirs/scan-9f2d62f4-c439-4007-98c2-d468ba581f0c/ci/render/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-41678). Fix: Update that package to its patched version.
  • Worth fixing GHSA-ghm9-cr32-g9qj rust-openssl: rustMdCtxRef::digest_final() writes past caller buffer with no length check
    /workdirs/scan-9f2d62f4-c439-4007-98c2-d468ba581f0c/ci/render/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-41681). Fix: Update that package to its patched version.
  • Worth fixing GHSA-hppc-g8h3-xhp3 rust-openssl: Unchecked callback length in PSK/cookie trampolines leaks adjacent memory to peer
    /workdirs/scan-9f2d62f4-c439-4007-98c2-d468ba581f0c/ci/render/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-41898). Fix: Update that package to its patched version.
  • Worth fixing GHSA-phqj-4mhp-q6mq rust-openssl: Potential out-of-bounds write in `CipherCtxRef::cipher_update_inplace` for AES-KW-PAD ciphers
    /workdirs/scan-9f2d62f4-c439-4007-98c2-d468ba581f0c/ci/render/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-45784). Fix: Update that package to its patched version.
  • Worth fixing GHSA-pqf5-4pqq-29f5 rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow short buffers on OpenSSL 1.1.1
    /workdirs/scan-9f2d62f4-c439-4007-98c2-d468ba581f0c/ci/render/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-41676). Fix: Update that package to its patched version.
  • Worth fixing GHSA-xp3w-r5p5-63rr rust-openssl has undefined behavior in X509Ref::ocsp_responders for certificates with non-UTF-8 OCSP URLs
    /workdirs/scan-9f2d62f4-c439-4007-98c2-d468ba581f0c/ci/render/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-42327). Fix: Update that package to its patched version.
  • Worth fixing GHSA-xv59-967r-8726 rust-openssl vulnerable to heap buffer overflow when encrypting with AES key-wrap-with-padding
    /workdirs/scan-9f2d62f4-c439-4007-98c2-d468ba581f0c/ci/render/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-44662). Fix: Update that package to its patched version.
  • Worth fixing RUSTSEC-2025-0009 Some AES functions may panic when overflow checking is enabled.
    /workdirs/scan-9f2d62f4-c439-4007-98c2-d468ba581f0c/ci/render/Cargo.lock
    A package you depend on has a known security hole (CVE-2025-4432). Fix: Update that package to its patched version.
  • Minor RUSTSEC-2026-0098 Name constraints for URI names were incorrectly accepted
    /workdirs/scan-9f2d62f4-c439-4007-98c2-d468ba581f0c/ci/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor RUSTSEC-2026-0099 Name constraints were accepted for certificates asserting a wildcard name
    /workdirs/scan-9f2d62f4-c439-4007-98c2-d468ba581f0c/ci/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor RUSTSEC-2026-0098 Name constraints for URI names were incorrectly accepted
    /workdirs/scan-9f2d62f4-c439-4007-98c2-d468ba581f0c/ci/pr-check/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor RUSTSEC-2026-0099 Name constraints were accepted for certificates asserting a wildcard name
    /workdirs/scan-9f2d62f4-c439-4007-98c2-d468ba581f0c/ci/pr-check/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Minor GHSA-xmgf-hq76-4vx2 rust-opennssl has an Out-of-bounds read in PEM password callback when returning an oversized length
    /workdirs/scan-9f2d62f4-c439-4007-98c2-d468ba581f0c/ci/render/Cargo.lock
    A package you depend on has a known security hole (CVE-2026-41677). Fix: Update that package to its patched version.
  • FYI RUSTSEC-2025-0010 Versions of *ring* prior to 0.17 are unmaintained.
    /workdirs/scan-9f2d62f4-c439-4007-98c2-d468ba581f0c/ci/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • FYI RUSTSEC-2025-0134 rustls-pemfile is unmaintained
    /workdirs/scan-9f2d62f4-c439-4007-98c2-d468ba581f0c/ci/Cargo.lock
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
… 4 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog none found ✓

Packages that look intentionally malicious — typosquats, sneaky install scripts.

Nothing found by this check. ✓

via Guarddog v2.10.0 · Apache-2.0

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard 4 notes

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

  • Minor scorecard-overall OpenSSF Scorecard overall: 6.5/10
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Fuzzing Fuzzing scored 0: project is not fuzzed
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Security-Policy Security-Policy scored 0: security policy file not detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.