gitsafehub
github.com/google-research/vision_transformer ↗

google-research/vision_transformer

scanned 2026-06-30 · git 0d03f55
1 of 6 checks flagged a security issue
🔴 Needs attention
Only 3 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependenciesKnown OSS vulnerabilities385Risky code patternsMalicious dependenciesProject health

Security checks

Leaked secrets — Gitleaks timed out

API keys, passwords or tokens committed into the repo.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Gitleaks v8.21.2 · MIT

error: timeout after 30s

Vulnerable dependencies — Trivy none found ✓

Packages you depend on that have known security holes (CVEs).

Nothing found by this check. ✓

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 385 found · 4 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious PYSEC-2021-591 TensorFlow is an end-to-end open source platform for machine learning. In affected versions TensorFlow and Keras can be tricked to perform arbitrary code execution when deserializing a Keras model fro
    /workdirs/scan-59d5ed27-dc34-4f24-b0c5-765ca3df9200/vit_jax/requirements.txt
    A package you depend on has a known security hole (CVE-2021-37678). Fix: Update that package to its patched version.
  • Serious PYSEC-2021-617 TensorFlow is an open source platform for machine learning. In affected versions the code for boosted trees in TensorFlow is still missing validation. As a result, attackers can trigger denial of serv
    /workdirs/scan-59d5ed27-dc34-4f24-b0c5-765ca3df9200/vit_jax/requirements.txt
    A package you depend on has a known security hole (CVE-2021-41208). Fix: Update that package to its patched version.
  • Serious PYSEC-2026-549 TensorFlow has a heap out-of-buffer read vulnerability in the QuantizeAndDequantize operation
    /workdirs/scan-59d5ed27-dc34-4f24-b0c5-765ca3df9200/vit_jax/requirements.txt
    A package you depend on has a known security hole (CVE-2023-25668). Fix: Update that package to its patched version.
  • Serious GHSA-h6gw-r52c-724r NULL Pointer Dereference and Access of Uninitialized Pointer in TensorFlow
    /workdirs/scan-59d5ed27-dc34-4f24-b0c5-765ca3df9200/vit_jax/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Worth fixing GHSA-6p56-wp2h-9hxr NumPy Buffer Overflow (Disputed)
    /workdirs/scan-59d5ed27-dc34-4f24-b0c5-765ca3df9200/vit_jax/requirements-tpu.txt
    A package you depend on has a known security hole (CVE-2021-33430). Fix: Update that package to its patched version.
  • Worth fixing GHSA-fpfv-jqm9-f5jm Incorrect Comparison in NumPy
    /workdirs/scan-59d5ed27-dc34-4f24-b0c5-765ca3df9200/vit_jax/requirements-tpu.txt
    A package you depend on has a known security hole (CVE-2021-34141). Fix: Update that package to its patched version.
  • Worth fixing GHSA-6p56-wp2h-9hxr NumPy Buffer Overflow (Disputed)
    /workdirs/scan-59d5ed27-dc34-4f24-b0c5-765ca3df9200/vit_jax/requirements.txt
    A package you depend on has a known security hole (CVE-2021-33430). Fix: Update that package to its patched version.
  • Worth fixing GHSA-fpfv-jqm9-f5jm Incorrect Comparison in NumPy
    /workdirs/scan-59d5ed27-dc34-4f24-b0c5-765ca3df9200/vit_jax/requirements.txt
    A package you depend on has a known security hole (CVE-2021-34141). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2021-499 TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.raw_ops.MaxPoolGradWithArgmax` can cause reads outside of bounds of heap allocated data if attacker sup
    /workdirs/scan-59d5ed27-dc34-4f24-b0c5-765ca3df9200/vit_jax/requirements.txt
    A package you depend on has a known security hole (CVE-2021-29571). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2021-519 TensorFlow is an end-to-end open source platform for machine learning. TFlite graphs must not have loops between nodes. However, this condition was not checked and an attacker could craft models that
    /workdirs/scan-59d5ed27-dc34-4f24-b0c5-765ca3df9200/vit_jax/requirements.txt
    A package you depend on has a known security hole (CVE-2021-29591). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2021-520 TensorFlow is an end-to-end open source platform for machine learning. The fix for CVE-2020-15209(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15209) missed the case when the target shape o
    /workdirs/scan-59d5ed27-dc34-4f24-b0c5-765ca3df9200/vit_jax/requirements.txt
    A package you depend on has a known security hole (CVE-2021-29592). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2021-529 TensorFlow is an end-to-end open source platform for machine learning. The TFLite implementation of concatenation is vulnerable to an integer overflow issue(https://github.com/tensorflow/tensorflow/bl
    /workdirs/scan-59d5ed27-dc34-4f24-b0c5-765ca3df9200/vit_jax/requirements.txt
    A package you depend on has a known security hole (CVE-2021-29601). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2021-533 TensorFlow is an end-to-end open source platform for machine learning. The TFLite code for allocating `TFLiteIntArray`s is vulnerable to an integer overflow issue(https://github.com/tensorflow/tensorf
    /workdirs/scan-59d5ed27-dc34-4f24-b0c5-765ca3df9200/vit_jax/requirements.txt
    A package you depend on has a known security hole (CVE-2021-29605). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2021-534 TensorFlow is an end-to-end open source platform for machine learning. A specially crafted TFLite model could trigger an OOB read on heap in the TFLite implementation of `Split_V`(https://github.com/t
    /workdirs/scan-59d5ed27-dc34-4f24-b0c5-765ca3df9200/vit_jax/requirements.txt
    A package you depend on has a known security hole (CVE-2021-29606). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2021-535 TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in `SparseAdd` results in allowing attackers to exploit undefined behavior (dereferencing null pointers) as
    /workdirs/scan-59d5ed27-dc34-4f24-b0c5-765ca3df9200/vit_jax/requirements.txt
    A package you depend on has a known security hole (CVE-2021-29607). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2021-536 TensorFlow is an end-to-end open source platform for machine learning. Due to lack of validation in `tf.raw_ops.RaggedTensorToTensor`, an attacker can exploit an undefined behavior if input arguments
    /workdirs/scan-59d5ed27-dc34-4f24-b0c5-765ca3df9200/vit_jax/requirements.txt
    A package you depend on has a known security hole (CVE-2021-29608). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2021-537 TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in `SparseAdd` results in allowing attackers to exploit undefined behavior (dereferencing null pointers) as
    /workdirs/scan-59d5ed27-dc34-4f24-b0c5-765ca3df9200/vit_jax/requirements.txt
    A package you depend on has a known security hole (CVE-2021-29609). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2021-541 TensorFlow is an end-to-end open source platform for machine learning. Incomplete validation in `tf.raw_ops.CTCLoss` allows an attacker to trigger an OOB read from heap. The fix will be included in Te
    /workdirs/scan-59d5ed27-dc34-4f24-b0c5-765ca3df9200/vit_jax/requirements.txt
    A package you depend on has a known security hole (CVE-2021-29613). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2021-542 TensorFlow is an end-to-end open source platform for machine learning. The implementation of `tf.io.decode_raw` produces incorrect results and crashes the Python interpreter when combining `fixed_leng
    /workdirs/scan-59d5ed27-dc34-4f24-b0c5-765ca3df9200/vit_jax/requirements.txt
    A package you depend on has a known security hole (CVE-2021-29614). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2021-548 TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of sparse reduction operations in TensorFlow can trigger accesses outside of bounds of he
    /workdirs/scan-59d5ed27-dc34-4f24-b0c5-765ca3df9200/vit_jax/requirements.txt
    A package you depend on has a known security hole (CVE-2021-37635). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2021-549 TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of `tf.raw_ops.SparseDenseCwiseDiv` is vulnerable to a division by 0 error. The [implemen
    /workdirs/scan-59d5ed27-dc34-4f24-b0c5-765ca3df9200/vit_jax/requirements.txt
    A package you depend on has a known security hole (CVE-2021-37636). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2021-550 TensorFlow is an end-to-end open source platform for machine learning. It is possible to trigger a null pointer dereference in TensorFlow by passing an invalid input to `tf.raw_ops.CompressElement`. T
    /workdirs/scan-59d5ed27-dc34-4f24-b0c5-765ca3df9200/vit_jax/requirements.txt
    A package you depend on has a known security hole (CVE-2021-37637). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2021-551 TensorFlow is an end-to-end open source platform for machine learning. Sending invalid argument for `row_partition_types` of `tf.raw_ops.RaggedTensorToTensor` API results in a null pointer dereference
    /workdirs/scan-59d5ed27-dc34-4f24-b0c5-765ca3df9200/vit_jax/requirements.txt
    A package you depend on has a known security hole (CVE-2021-37638). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2021-552 TensorFlow is an end-to-end open source platform for machine learning. When restoring tensors via raw APIs, if the tensor name is not provided, TensorFlow can be tricked into dereferencing a null poin
    /workdirs/scan-59d5ed27-dc34-4f24-b0c5-765ca3df9200/vit_jax/requirements.txt
    A package you depend on has a known security hole (CVE-2021-37639). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2021-553 TensorFlow is an end-to-end open source platform for machine learning. In affected versions the implementation of `tf.raw_ops.SparseReshape` can be made to trigger an integral division by 0 exception.
    /workdirs/scan-59d5ed27-dc34-4f24-b0c5-765ca3df9200/vit_jax/requirements.txt
    A package you depend on has a known security hole (CVE-2021-37640). Fix: Update that package to its patched version.
… 360 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog timed out

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: pypi:timeout

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard didn’t run

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OpenSSF Scorecard · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.