gitsafehub
github.com/waditu/tushare ↗

waditu/tushare

scanned 2026-06-29 · git 0938569
2 of 6 checks flagged a security issue
🟡 Worth a look
Only 4 of 6 checks finished — treat this as provisional. Re-check ↻

Informational scan, not a security audit. How this is computed.

Leaked secrets1Vulnerable dependenciesKnown OSS vulnerabilities14Risky code patternsMalicious dependenciesProject health

Security checks

Leaked secrets — Gitleaks 1 found

API keys, passwords or tokens committed into the repo.

  • Worth fixing generic-api-key Detected a Generic API Key, potentially exposing access to various services and sensitive operations.
    tushare/futures/domestic_cons.py:33
    A credential (key, password or token) appears in your code. Fix: Remove it, rotate the key, and load it from an environment variable instead.

via Gitleaks v8.21.2 · MIT

Vulnerable dependencies — Trivy none found ✓

Packages you depend on that have known security holes (CVEs).

Nothing found by this check. ✓

via Trivy v0.70.0 · Apache-2.0

Known OSS vulnerabilities — OSV-Scanner 14 found

Your dependencies cross-checked against the OSV vulnerability database.

  • Worth fixing PYSEC-2018-12 An issue was discovered in lxml before 4.2.5. lxml/html/clean.py in the lxml.html.clean module does not remove javascript: URLs that use escaping, allowing a remote attacker to conduct XSS attacks, as
    /workdirs/scan-be9976af-e8ce-4e96-9448-250c4858d178/requirements.txt
    A package you depend on has a known security hole (CVE-2018-19787). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2020-62 A XSS vulnerability was discovered in python-lxml's clean module. The module's parser didn't properly imitate browsers, which caused different behaviors between the sanitizer and the user's page. A re
    /workdirs/scan-be9976af-e8ce-4e96-9448-250c4858d178/requirements.txt
    A package you depend on has a known security hole (CVE-2020-27783). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2021-19 An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attrib
    /workdirs/scan-be9976af-e8ce-4e96-9448-250c4858d178/requirements.txt
    A package you depend on has a known security hole (CVE-2021-28957). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2021-852 lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML Cleaner in lxml.html lets certain crafted script content pass through, as well as script content
    /workdirs/scan-be9976af-e8ce-4e96-9448-250c4858d178/requirements.txt
    A package you depend on has a known security hole (CVE-2021-43818). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2022-230 NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlie
    /workdirs/scan-be9976af-e8ce-4e96-9448-250c4858d178/requirements.txt
    A package you depend on has a known security hole (CVE-2022-2309). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2026-87 lxml is a library for processing XML and HTML in the Python language. Prior to 6.1.0, using either of the two parsers in the default configuration (with resolve_entities=True) allows untrusted XML inp
    /workdirs/scan-be9976af-e8ce-4e96-9448-250c4858d178/requirements.txt
    A package you depend on has a known security hole (CVE-2026-41066). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2014-13 Requests (aka python-requests) before 2.3.0 allows remote servers to obtain a netrc password by reading the Authorization header in a redirected request.
    /workdirs/scan-be9976af-e8ce-4e96-9448-250c4858d178/requirements.txt
    A package you depend on has a known security hole (CVE-2014-1829). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2014-14 Requests (aka python-requests) before 2.3.0 allows remote servers to obtain sensitive information by reading the Proxy-Authorization header in a redirected request.
    /workdirs/scan-be9976af-e8ce-4e96-9448-250c4858d178/requirements.txt
    A package you depend on has a known security hole (CVE-2014-1830). Fix: Update that package to its patched version.
  • Worth fixing PYSEC-2018-28 The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to dis
    /workdirs/scan-be9976af-e8ce-4e96-9448-250c4858d178/requirements.txt
    A package you depend on has a known security hole (CVE-2018-18074). Fix: Update that package to its patched version.
  • Worth fixing GHSA-9hjg-9r4m-mvj7 Requests vulnerable to .netrc credentials leak via malicious URLs
    /workdirs/scan-be9976af-e8ce-4e96-9448-250c4858d178/requirements.txt
    A package you depend on has a known security hole (CVE-2024-47081). Fix: Update that package to its patched version.
  • Worth fixing GHSA-9wx4-h78v-vm56 Requests `Session` object does not verify requests after making first request with verify=False
    /workdirs/scan-be9976af-e8ce-4e96-9448-250c4858d178/requirements.txt
    A package you depend on has a known security hole (CVE-2024-35195). Fix: Update that package to its patched version.
  • Worth fixing GHSA-gc5v-m9x4-r6x2 Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function
    /workdirs/scan-be9976af-e8ce-4e96-9448-250c4858d178/requirements.txt
    A package you depend on has a known security hole (CVE-2026-25645). Fix: Update that package to its patched version.
  • FYI PYSEC-2020-73 ** DISPUTED ** pandas through 1.0.3 can unserialize and execute commands from an untrusted file that is passed to the read_pickle() function, if __reduce__ makes an os.system call. NOTE: third parties
    /workdirs/scan-be9976af-e8ce-4e96-9448-250c4858d178/requirements.txt
    A package you depend on has a known security hole (CVE-2020-13091). Fix: Update that package to its patched version.
  • FYI PYSEC-2015-17 The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.
    /workdirs/scan-be9976af-e8ce-4e96-9448-250c4858d178/requirements.txt
    A package you depend on has a known security hole (CVE-2015-2296). Fix: Update that package to its patched version.

via OSV-Scanner v1.9.2 · Apache-2.0

Risky code patterns — Semgrep none found ✓

Code that can be exploited — injection, hardcoded credentials and similar.

Nothing found by this check. ✓

via Semgrep v1.147.0 · LGPL-2.1

Malicious dependencies — Guarddog timed out

Packages that look intentionally malicious — typosquats, sneaky install scripts.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via Guarddog v2.10.0 · Apache-2.0

error: pypi:timeout

Project health

A signal about how the project is maintained — not a vulnerability in your code. It doesn’t affect the verdict above.

Project health — OpenSSF Scorecard didn’t run

Maintenance & supply-chain hygiene. A signal about the project — not a vulnerability in your code.

This check didn’t finish — that’s not the same as “clean.” Try Check again above.

via OpenSSF Scorecard · Apache-2.0

About these results. Six open-source checks ran in parallel; every finding is tagged with the tool that produced it. The verdict follows a published rule. False positives and false negatives are normal — a clean scan does not mean the code is secure, and a red verdict does not mean the project is compromised.