gitsafehub
github.com/udacity/deep-learning-v2-pytorch ↗

udacity/deep-learning-v2-pytorch

scanned 2026-06-28 · git c9404fc
2 of 6 checks flagged a security issue
🔴 Needs attention
Only 4 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secretsVulnerable dependencies402Known OSS vulnerabilities431Risky code patternsMalicious dependenciesProject health10

Security checks

Leaked secrets — Gitleaks timed out

API keys, passwords or tokens committed into the repo.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Gitleaks v8.21.2 · MIT

error: timeout after 1800s

Vulnerable dependencies — Trivy 402 found · 4 serious

Packages you depend on that have known security holes (CVEs).

  • Serious CVE-2018-7575 Integer Overflow or Wraparound in Google TensorFlow
    tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2018-7575). Fix: Update that package to its patched version.
  • Serious CVE-2021-41208 Incomplete validation in boosted trees code
    tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2021-41208). Fix: Update that package to its patched version.
  • Serious CVE-2023-25668 CVE-2023-25668 affecting package tensorflow for versions less than 2.11.1-1
    tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2023-25668). Fix: Update that package to its patched version.
  • Serious GHSA-h6gw-r52c-724r NULL Pointer Dereference and Access of Uninitialized Pointer in TensorFlow
    tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (GHSA-h6gw-r52c-724r). Fix: Update that package to its patched version.
  • Worth fixing CVE-2018-21233 Out-of-bounds read in TensorFlow possibly causing disclosure of the contents of process memory.
    tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2018-21233). Fix: Update that package to its patched version.
  • Worth fixing CVE-2018-7576 Null pointer dereference in TensorFlow leads to exploitation
    tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2018-7576). Fix: Update that package to its patched version.
  • Worth fixing CVE-2019-9635 NULL Pointer Dereference in Google TensorFlow
    tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2019-9635). Fix: Update that package to its patched version.
  • Worth fixing CVE-2020-15202 Integer truncation in Shard API usage
    tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2020-15202). Fix: Update that package to its patched version.
  • Worth fixing CVE-2020-15203 Denial of Service in Tensorflow
    tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2020-15203). Fix: Update that package to its patched version.
  • Worth fixing CVE-2020-15206 Denial of Service in Tensorflow
    tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2020-15206). Fix: Update that package to its patched version.
  • Worth fixing CVE-2020-15208 Data corruption in tensorflow-lite
    tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2020-15208). Fix: Update that package to its patched version.
  • Worth fixing CVE-2020-15209 Null pointer dereference in tensorflow-lite
    tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2020-15209). Fix: Update that package to its patched version.
  • Worth fixing CVE-2020-15210 Segmentation fault in tensorflow-lite
    tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2020-15210). Fix: Update that package to its patched version.
  • Worth fixing CVE-2020-15265 Segfault in `tf.quantization.quantize_and_dequantize`
    tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2020-15265). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-29591 Stack overflow due to looping TFLite subgraph
    tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2021-29591). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-37635 Heap out of bounds access in sparse reduction operations
    tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2021-37635). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-37637 Null pointer dereference in `CompressElement`
    tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2021-37637). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-37638 Null pointer dereference in `RaggedTensorToTensor`
    tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2021-37638). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-37639 Null pointer dereference and heap OOB read in operations restoring tensors
    tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2021-37639). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-37643 Null pointer dereference in `MatrixDiagPartOp`
    tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2021-37643). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-37647 Null pointer dereference in `SparseTensorSliceDataset`
    tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2021-37647). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-37648 Incorrect validation of `SaveV2` inputs
    tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2021-37648). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-37649 Null pointer dereference in `UncompressElement`
    tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2021-37649). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-37650 Segfault and heap buffer overflow in `{Experimental,}DatasetToTFRecord`
    tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2021-37650). Fix: Update that package to its patched version.
  • Worth fixing CVE-2021-37651 Heap buffer overflow in `FractionalAvgPoolGrad`
    tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2021-37651). Fix: Update that package to its patched version.
… 377 more not shown

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 431 found · 9 serious

Your dependencies cross-checked against the OSV vulnerability database.

  • Serious GHSA-3f63-hfp8-52jq Arbitrary Code Execution in Pillow
    /workdirs/scan-5b7bd8cb-2d9f-4e34-8b8f-a9552ea346c7/requirements.txt
    A package you depend on has a known security hole (CVE-2023-50447). Fix: Update that package to its patched version.
  • Serious PYSEC-2019-205 Google TensorFlow 1.7.x and earlier is affected by a Buffer Overflow vulnerability. The type of exploitation is context-dependent.
    /workdirs/scan-5b7bd8cb-2d9f-4e34-8b8f-a9552ea346c7/tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2018-7575). Fix: Update that package to its patched version.
  • Serious PYSEC-2020-125 In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `Shard` API in TensorFlow expects the last argument to be a function taking two `int64` (i.e., `long long`) arguments. However,
    /workdirs/scan-5b7bd8cb-2d9f-4e34-8b8f-a9552ea346c7/tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2020-15202). Fix: Update that package to its patched version.
  • Serious PYSEC-2020-128 In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `data_splits` argument of `tf.raw_ops.StringNGrams` lacks validation. This allows a user to pass values that can cause heap ove
    /workdirs/scan-5b7bd8cb-2d9f-4e34-8b8f-a9552ea346c7/tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2020-15205). Fix: Update that package to its patched version.
  • Serious PYSEC-2020-129 In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, changing the TensorFlow's `SavedModel` protocol buffer and altering the name of required keys results in segfaults and data corrupt
    /workdirs/scan-5b7bd8cb-2d9f-4e34-8b8f-a9552ea346c7/tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2020-15206). Fix: Update that package to its patched version.
  • Serious PYSEC-2021-400 TensorFlow is an open source platform for machine learning. In affected versions the code for boosted trees in TensorFlow is still missing validation. As a result, attackers can trigger denial of serv
    /workdirs/scan-5b7bd8cb-2d9f-4e34-8b8f-a9552ea346c7/tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2021-41208). Fix: Update that package to its patched version.
  • Serious GHSA-gw97-ff7c-9v96 TensorFlow has a heap out-of-buffer read vulnerability in the QuantizeAndDequantize operation
    /workdirs/scan-5b7bd8cb-2d9f-4e34-8b8f-a9552ea346c7/tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2023-25668). Fix: Update that package to its patched version.
  • Serious GHSA-h6gw-r52c-724r NULL Pointer Dereference and Access of Uninitialized Pointer in TensorFlow
    /workdirs/scan-5b7bd8cb-2d9f-4e34-8b8f-a9552ea346c7/tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole. Fix: Update that package to its patched version.
  • Serious GHSA-r6jx-9g48-2r5r Arbitrary code execution due to YAML deserialization
    /workdirs/scan-5b7bd8cb-2d9f-4e34-8b8f-a9552ea346c7/tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2021-37678). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2023-227 An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of
    /workdirs/scan-5b7bd8cb-2d9f-4e34-8b8f-a9552ea346c7/requirements.txt
    A package you depend on has a known security hole (CVE-2023-44271). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2026-165 Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer
    /workdirs/scan-5b7bd8cb-2d9f-4e34-8b8f-a9552ea346c7/requirements.txt
    A package you depend on has a known security hole (CVE-2026-42308). Fix: Update that package to its patched version.
  • Worth fixing GHSA-44wm-f244-xhp3 Pillow buffer overflow vulnerability
    /workdirs/scan-5b7bd8cb-2d9f-4e34-8b8f-a9552ea346c7/requirements.txt
    A package you depend on has a known security hole (CVE-2024-28219). Fix: Update that package to its patched version.
  • Worth fixing GHSA-j7hp-h8jx-5ppr libwebp: OOB write in BuildHuffmanTable
    /workdirs/scan-5b7bd8cb-2d9f-4e34-8b8f-a9552ea346c7/requirements.txt
    A package you depend on has a known security hole (CVE-2023-4863). Fix: Update that package to its patched version.
  • Worth fixing GHSA-r73j-pqj5-w3x7 Pillow has a PDF Parsing Trailer Infinite Loop (DoS)
    /workdirs/scan-5b7bd8cb-2d9f-4e34-8b8f-a9552ea346c7/requirements.txt
    A package you depend on has a known security hole (CVE-2026-42310). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2017-74 The tqdm._version module in tqdm versions 4.4.1 and 4.10 allows local users to execute arbitrary code via a crafted repo with a malicious git log in the current working directory.
    /workdirs/scan-5b7bd8cb-2d9f-4e34-8b8f-a9552ea346c7/requirements.txt
    A package you depend on has a known security hole (CVE-2016-10075). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2026-215 Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior
    /workdirs/scan-5b7bd8cb-2d9f-4e34-8b8f-a9552ea346c7/requirements.txt
    A package you depend on has a known security hole (CVE-2026-45409). Fix: Update that package to its patched version.
  • Worth fixing GHSA-4c99-qj7h-p3vg nbconvert has an Arbitrary File Write via Path Traversal in Cell Attachment Filenames
    /workdirs/scan-5b7bd8cb-2d9f-4e34-8b8f-a9552ea346c7/requirements.txt
    A package you depend on has a known security hole (CVE-2026-39377). Fix: Update that package to its patched version.
  • Worth fixing GHSA-7jqv-fw35-gmx9 nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image Embedding
    /workdirs/scan-5b7bd8cb-2d9f-4e34-8b8f-a9552ea346c7/requirements.txt
    A package you depend on has a known security hole (CVE-2026-39378). Fix: Update that package to its patched version.
  • Worth fixing GHSA-xm59-rqc7-hhvf nbconvert has an uncontrolled search path that leads to unauthorized code execution on Windows
    /workdirs/scan-5b7bd8cb-2d9f-4e34-8b8f-a9552ea346c7/requirements.txt
    A package you depend on has a known security hole (CVE-2025-53000). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2019-206 Google TensorFlow 1.6.x and earlier is affected by: Null Pointer Dereference. The type of exploitation is: context-dependent.
    /workdirs/scan-5b7bd8cb-2d9f-4e34-8b8f-a9552ea346c7/tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2018-7576). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2019-210 NULL pointer dereference in Google TensorFlow before 1.12.2 could cause a denial of service via an invalid GIF file.
    /workdirs/scan-5b7bd8cb-2d9f-4e34-8b8f-a9552ea346c7/tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2019-9635). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2020-113 In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `tf.raw_ops.Switch` operation takes as input a tensor and a boolean and outputs two tensors. Depending on the boolean value, on
    /workdirs/scan-5b7bd8cb-2d9f-4e34-8b8f-a9552ea346c7/tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2020-15190). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2020-117 In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `SparseFillEmptyRowsGrad` implementation has incomplete validation of the shapes of its arguments. Although `reverse_index_map_
    /workdirs/scan-5b7bd8cb-2d9f-4e34-8b8f-a9552ea346c7/tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2020-15194). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2020-118 In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the implementation of `SparseFillEmptyRowsGrad` uses a double indexing pattern. It is possible for `reverse_index_map(i)` to be an
    /workdirs/scan-5b7bd8cb-2d9f-4e34-8b8f-a9552ea346c7/tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2020-15195). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2020-126 In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, by controlling the `fill` argument of tf.strings.as_string, a malicious attacker is able to trigger a format string vulnerability d
    /workdirs/scan-5b7bd8cb-2d9f-4e34-8b8f-a9552ea346c7/tensorflow/intro-to-tensorflow/requirements.txt
    A package you depend on has a known security hole (CVE-2020-15203). Fix: Update that package to its patched version.
… 406 more not shown

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog couldn’t run

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: pypi:Traceback (most recent call last): File "/usr/local/bin/guarddog", line 5, in <module> from guarddog.cli import cl

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard 10 notes

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

  • Worth fixing scorecard-overall OpenSSF Scorecard overall: 3.5/10
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CI-Tests CI-Tests scored 0: 0 out of 13 merged PRs checked by a CI test -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Fuzzing Fuzzing scored 0: project is not fuzzed
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Maintained Maintained scored 0: 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Security-Policy Security-Policy scored 0: security policy file not detected
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.
  • Minor scorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissions
    A project-health signal (maintenance / supply-chain hygiene) — not a vulnerability in your code.

via OpenSSF Scorecard v5.5.0 · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.