gitsafehub
github.com/macrozheng/mall-swarm ↗

macrozheng/mall-swarm

scanned 2026-06-30 · git 04c442f
1 of 6 checks flagged a security issue
🔴 Needs attention
Only 4 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependenciesKnown OSS vulnerabilities61Risky code patternsMalicious dependenciesProject health

Security checks

Leaked secrets — Gitleaks none found ✓

API keys, passwords or tokens committed into the repo.

Nothing found by this check. ✓

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy timed out

Packages you depend on that have known security holes (CVEs).

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Trivy v0.70.0 · Apache-2.0

error: timeout after 120s

Known OSS vulnerabilities — OSV-Scanner 61 found · 6 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-5m62-pw8w-7w9f Apache Tomcat - Security constraints not correctly applied
    /workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
    A package you depend on has a known security hole (CVE-2026-43515). Fix: Update that package to its patched version.
  • Serious GHSA-h6fc-48rj-7qqh Apache Tomcat - Digest authenticator will authenticate any unknown user
    /workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
    A package you depend on has a known security hole (CVE-2026-43512). Fix: Update that package to its patched version.
  • Serious GHSA-r29c-68gh-xp6x Apache Tomcat - HTTP/2 request headers not validated
    /workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
    A package you depend on has a known security hole (CVE-2026-41293). Fix: Update that package to its patched version.
  • Serious GHSA-5m62-pw8w-7w9f Apache Tomcat - Security constraints not correctly applied
    /workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-monitor/pom.xml
    A package you depend on has a known security hole (CVE-2026-43515). Fix: Update that package to its patched version.
  • Serious GHSA-h6fc-48rj-7qqh Apache Tomcat - Digest authenticator will authenticate any unknown user
    /workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-monitor/pom.xml
    A package you depend on has a known security hole (CVE-2026-43512). Fix: Update that package to its patched version.
  • Serious GHSA-r29c-68gh-xp6x Apache Tomcat - HTTP/2 request headers not validated
    /workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-monitor/pom.xml
    A package you depend on has a known security hole (CVE-2026-41293). Fix: Update that package to its patched version.
  • Worth fixing GHSA-5hh8-q8hv-fr38 jackson-databind has @JsonView bypass for setterless creator properties
    /workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
    A package you depend on has a known security hole (CVE-2026-54517). Fix: Update that package to its patched version.
  • Worth fixing GHSA-5jmj-h7xm-6q6v jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties
    /workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
    A package you depend on has a known security hole (CVE-2026-54515). Fix: Update that package to its patched version.
  • Worth fixing GHSA-9fxm-vc8v-hj55 jackson-databind's renamed @JsonIgnore'd setters can deserialize via private fields
    /workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
    A package you depend on has a known security hole (CVE-2026-54516). Fix: Update that package to its patched version.
  • Worth fixing GHSA-hgj6-7826-r7m5 jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)
    /workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
    A package you depend on has a known security hole (CVE-2026-54514). Fix: Update that package to its patched version.
  • Worth fixing GHSA-j3rv-43j4-c7qm jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation
    /workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
    A package you depend on has a known security hole (CVE-2026-54512). Fix: Update that package to its patched version.
  • Worth fixing GHSA-rcqc-6cw3-h962 jackson-databind has a @JsonView bypass for unwrapped creator parameters
    /workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
    A package you depend on has a known security hole (CVE-2026-54518). Fix: Update that package to its patched version.
  • Worth fixing GHSA-rmj7-2vxq-3g9f jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (allowIfSubTypeIsArray)
    /workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
    A package you depend on has a known security hole (CVE-2026-54513). Fix: Update that package to its patched version.
  • Worth fixing GHSA-mj4r-2hfc-f8p6 Netty Lz4FrameDecoder is vulnerable to resource exhaustion
    /workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
    A package you depend on has a known security hole (CVE-2026-42583). Fix: Update that package to its patched version.
  • Worth fixing GHSA-3qp7-7mw8-wx86 Netty has an IPv6 Subnet Filter Bypass via Incorrect Comparator Masking
    /workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
    A package you depend on has a known security hole (CVE-2026-44249). Fix: Update that package to its patched version.
  • Worth fixing GHSA-c653-97m9-rcg9 Netty: Wrapping plain trust manager silently disables hostname verification
    /workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
    A package you depend on has a known security hole (CVE-2026-50010). Fix: Update that package to its patched version.
  • Worth fixing GHSA-x4gw-5cx5-pgmh Netty: SNI handler pre-allocates up to 16 MiB from nine attacker bytes
    /workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
    A package you depend on has a known security hole (CVE-2026-45416). Fix: Update that package to its patched version.
  • Worth fixing GHSA-5mp6-jrq3-r938 Apache Tomcat: LockOutRealm treats user names as case-sensitive
    /workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
    A package you depend on has a known security hole (CVE-2026-43513). Fix: Update that package to its patched version.
  • Worth fixing GHSA-fv25-8xcx-gqjc Apache Tomcat - WebSocket authentication header exposure
    /workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
    A package you depend on has a known security hole (CVE-2026-42498). Fix: Update that package to its patched version.
  • Worth fixing GHSA-gx5v-xp9w-j4cg Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling
    /workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
    A package you depend on has a known security hole (CVE-2026-41284). Fix: Update that package to its patched version.
  • Worth fixing GHSA-c3fc-8qff-9hwx Bouncy Castle has an LDAP injection
    /workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-common/pom.xml
    A package you depend on has a known security hole (CVE-2026-0636). Fix: Update that package to its patched version.
  • Worth fixing GHSA-5hh8-q8hv-fr38 jackson-databind has @JsonView bypass for setterless creator properties
    /workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-monitor/pom.xml
    A package you depend on has a known security hole (CVE-2026-54517). Fix: Update that package to its patched version.
  • Worth fixing GHSA-5jmj-h7xm-6q6v jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties
    /workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-monitor/pom.xml
    A package you depend on has a known security hole (CVE-2026-54515). Fix: Update that package to its patched version.
  • Worth fixing GHSA-9fxm-vc8v-hj55 jackson-databind's renamed @JsonIgnore'd setters can deserialize via private fields
    /workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-monitor/pom.xml
    A package you depend on has a known security hole (CVE-2026-54516). Fix: Update that package to its patched version.
  • Worth fixing GHSA-hgj6-7826-r7m5 jackson-databind: InetSocketAddress deserialization triggers eager DNS resolution (SSRF)
    /workdirs/scan-8fcd0734-6e07-4c2e-8be9-bb8369d4cf96/mall-monitor/pom.xml
    A package you depend on has a known security hole (CVE-2026-54514). Fix: Update that package to its patched version.
… 36 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog none found ✓

Packages that look intentionally malicious — typosquats, sneaky install scripts.

Nothing found by this check. ✓

via Guarddog v2.10.0 · Apache-2.0

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard didn’t run

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OpenSSF Scorecard · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.