Informational scan, not a security audit. How this is computed.
API keys, passwords or tokens committed into the repo.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
Packages you depend on that have known security holes (CVEs).
CVE-2018-7575 Integer Overflow or Wraparound in Google TensorFlowCVE-2021-41208 Incomplete validation in boosted trees codeCVE-2023-25668 CVE-2023-25668 affecting package tensorflow for versions less than 2.11.1-1GHSA-h6gw-r52c-724r NULL Pointer Dereference and Access of Uninitialized Pointer in TensorFlowCVE-2018-21233 Out-of-bounds read in TensorFlow possibly causing disclosure of the contents of process memory.CVE-2018-7576 Null pointer dereference in TensorFlow leads to exploitationCVE-2019-9635 NULL Pointer Dereference in Google TensorFlowCVE-2020-15202 Integer truncation in Shard API usageCVE-2020-15203 Denial of Service in TensorflowCVE-2020-15206 Denial of Service in TensorflowCVE-2020-15208 Data corruption in tensorflow-liteCVE-2020-15209 Null pointer dereference in tensorflow-liteCVE-2020-15210 Segmentation fault in tensorflow-liteCVE-2020-15265 Segfault in `tf.quantization.quantize_and_dequantize`CVE-2021-29591 Stack overflow due to looping TFLite subgraphCVE-2021-37635 Heap out of bounds access in sparse reduction operationsCVE-2021-37637 Null pointer dereference in `CompressElement`CVE-2021-37638 Null pointer dereference in `RaggedTensorToTensor`CVE-2021-37639 Null pointer dereference and heap OOB read in operations restoring tensorsCVE-2021-37643 Null pointer dereference in `MatrixDiagPartOp`CVE-2021-37647 Null pointer dereference in `SparseTensorSliceDataset`CVE-2021-37648 Incorrect validation of `SaveV2` inputsCVE-2021-37649 Null pointer dereference in `UncompressElement`CVE-2021-37650 Segfault and heap buffer overflow in `{Experimental,}DatasetToTFRecord`CVE-2021-37651 Heap buffer overflow in `FractionalAvgPoolGrad`Your dependencies cross-checked against the OSV vulnerability database.
GHSA-3f63-hfp8-52jq Arbitrary Code Execution in PillowPYSEC-2019-205 Google TensorFlow 1.7.x and earlier is affected by a Buffer Overflow vulnerability. The type of exploitation is context-dependent.PYSEC-2020-125 In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `Shard` API in TensorFlow expects the last argument to be a function taking two `int64` (i.e., `long long`) arguments. However,PYSEC-2020-128 In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `data_splits` argument of `tf.raw_ops.StringNGrams` lacks validation. This allows a user to pass values that can cause heap ovePYSEC-2020-129 In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, changing the TensorFlow's `SavedModel` protocol buffer and altering the name of required keys results in segfaults and data corruptPYSEC-2021-400 TensorFlow is an open source platform for machine learning. In affected versions the code for boosted trees in TensorFlow is still missing validation. As a result, attackers can trigger denial of servGHSA-gw97-ff7c-9v96 TensorFlow has a heap out-of-buffer read vulnerability in the QuantizeAndDequantize operationGHSA-h6gw-r52c-724r NULL Pointer Dereference and Access of Uninitialized Pointer in TensorFlowGHSA-r6jx-9g48-2r5r Arbitrary code execution due to YAML deserializationPYSEC-2023-227 An issue was discovered in Pillow before 10.0.0. It is a Denial of Service that uncontrollably allocates memory to process a given task, potentially causing a service to crash by having it run out of PYSEC-2026-165 Pillow is a Python imaging library. Prior to version 12.2.0, if a font advances for each glyph by an exceeding large amount, when Pillow keeps track of the current position, it may lead to an integer GHSA-44wm-f244-xhp3 Pillow buffer overflow vulnerabilityGHSA-j7hp-h8jx-5ppr libwebp: OOB write in BuildHuffmanTableGHSA-r73j-pqj5-w3x7 Pillow has a PDF Parsing Trailer Infinite Loop (DoS)PYSEC-2017-74 The tqdm._version module in tqdm versions 4.4.1 and 4.10 allows local users to execute arbitrary code via a crafted repo with a malicious git log in the current working directory.PYSEC-2026-215 Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions priorGHSA-4c99-qj7h-p3vg nbconvert has an Arbitrary File Write via Path Traversal in Cell Attachment FilenamesGHSA-7jqv-fw35-gmx9 nbconvert has an Arbitrary File Read via Path Traversal in HTMLExporter Image EmbeddingGHSA-xm59-rqc7-hhvf nbconvert has an uncontrolled search path that leads to unauthorized code execution on WindowsPYSEC-2019-206 Google TensorFlow 1.6.x and earlier is affected by: Null Pointer Dereference. The type of exploitation is: context-dependent.PYSEC-2019-210 NULL pointer dereference in Google TensorFlow before 1.12.2 could cause a denial of service via an invalid GIF file.PYSEC-2020-113 In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `tf.raw_ops.Switch` operation takes as input a tensor and a boolean and outputs two tensors. Depending on the boolean value, onPYSEC-2020-117 In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the `SparseFillEmptyRowsGrad` implementation has incomplete validation of the shapes of its arguments. Although `reverse_index_map_PYSEC-2020-118 In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the implementation of `SparseFillEmptyRowsGrad` uses a double indexing pattern. It is possible for `reverse_index_map(i)` to be an PYSEC-2020-126 In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, by controlling the `fill` argument of tf.strings.as_string, a malicious attacker is able to trigger a format string vulnerability dCode that can be exploited — injection, hardcoded credentials and similar.
Nothing found by this check. ✓
Packages that look intentionally malicious — typosquats, sneaky install scripts.
This check didn’t finish — that’s not the same as “clean.” Try Check again above.
A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.
Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.
scorecard-overall OpenSSF Scorecard overall: 3.5/10scorecard-CI-Tests CI-Tests scored 0: 0 out of 13 merged PRs checked by a CI test -- score normalized to 0scorecard-CII-Best-Practices CII-Best-Practices scored 0: no effort to earn an OpenSSF best practices badge detectedscorecard-Dependency-Update-Tool Dependency-Update-Tool scored 0: no update tool detectedscorecard-Fuzzing Fuzzing scored 0: project is not fuzzedscorecard-Maintained Maintained scored 0: 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0scorecard-Pinned-Dependencies Pinned-Dependencies scored 0: dependency not pinned by hash detected -- score normalized to 0scorecard-SAST SAST scored 0: SAST tool is not run on all commits -- score normalized to 0scorecard-Security-Policy Security-Policy scored 0: security policy file not detectedscorecard-Token-Permissions Token-Permissions scored 0: detected GitHub workflow tokens with excessive permissions