Close Open Privacy Scan
App Privacy Score
Low risk · 170 finding(s)
Dependency score: 57 (Medium risk)
bar_chart Score Breakdown
list Scan Summary
swap_horiz External domains
100.100.100.200access.line.meaccount.health.nokia.comaccount.withings.comaccounts.google.comaccounts.spotify.comacme-staging-v02.api.letsencrypt.orgacme-v02.api.letsencrypt.orgacs.amazonaws.comaka.msamazonaws.comapi.amazon.comapi.badgr.ioapi.cohere.comapi.dropboxapi.comapi.ebay.comapi.fitbit.comapi.github.comapi.hipchat.comapi.instagram.comapi.line.meapi.login.yahoo.comapi.mediamath.comapi.odnoklassniki.ruapi.openai.comapi.paypal.comapi.pinterest.comapi.sandbox.paypal.comapi.siliconflow.cnapi.voyageai.comapi.x.comapp.asana.comapp.rakuten.co.jpappleid.apple.comauth.ebay.combadgr.combattle.netbitbucket.orgcloud.google.comdashscope.aliyuncs.comdiscord.comdocs.aws.amazon.comdocs.microsoft.comen.wikipedia.orgencoding.spec.whatwg.orgfakestorage.blob.core.windows.netfoursquare.comgenerativelanguage.googleapis.comgit.k8s.iogithub.comgitlab.comgo.devgolang.orggoogle-styleguide.googlecode.comgoogle.github.iograph.facebook.comgraph.qq.comgrpc.iohg.mozilla.orghttpbin.orghyper.rsid.heroku.comid.twitch.tvjson.orgkauth.kakao.comkubernetes.iolearn.microsoft.comllm.api.cloud.yandex.netlogin.chinacloudapi.cnlogin.coinbase.comlogin.live.comlogin.mailchimp.comlogin.microsoftonline.comlogin.microsoftonline.uslogin.uber.commanagement.azure.commanagement.chinacloudapi.cnmanagement.core.chinacloudapi.cnmanagement.core.usgovcloudapi.netmanagement.core.windows.netmanagement.usgovcloudapi.netmetadata.tencentyun.commilvus.ionid.naver.como2.mail.ruoauth.pipedrive.comoauth.vk.comoauth.web.cern.choauth.yandex.comoauth2.googleapis.comoauth2.mtls.googleapis.comopentelemetry.iopkg.go.devprotobuf.devpublicsuffix.orgpulsar.apache.orgpyroscope.ioraw.githubusercontent.comrouter.huggingface.cos3.amazonaws.comslack.comsnowballstem.orgstackoverflow.comstorage.azure.comstorage.googleapis.comstorage.mtls.googleapis.comstorage.universe_domainsts.amazonaws.comsts.universe_domaint1sandbox.mediamath.comtext-embeddings-service.milvus-ci.svc.cluster.localtext-rerank-service.milvus-ci.svc.cluster.localtools.ietf.orgwikipedia.orgwww.alibabacloud.comwww.amazon.comwww.apache.orgwww.dropbox.comwww.facebook.comwww.fitbit.comwww.googleapis.comwww.hipchat.comwww.iana.orgwww.ibm.comwww.linkedin.comwww.odnoklassniki.ruwww.openstreetmap.orgwww.patreon.comwww.paypal.comwww.pinterest.comwww.sandbox.paypal.comwww.splitwise.comwww.strava.comwww.unicode.orgwww.w3.orgx.comzoom.us
</> First-Party Code
first-party (rust): internal/core/thirdparty/tantivy/tantivy-binding
rust first-partyexpand_more 24 low-confidence finding(s)
let crate_dir = env::var("CARGO_MANIFEST_DIR").unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let package_name = env::var("CARGO_PKG_NAME").unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let tokenizer_proto_path = env::var("TOKENIZER_PROTO").unwrap_or_default();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let flock = fs::File::create(&path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut dest = fs::File::create(tmp_path.as_path())?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut tar_gz = fs::File::open(source_path_for_build)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let da_data = fs::read(dict_dir.join(common::DA_DATA))?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let vals_data = fs::read(dict_dir.join(common::VALS_DATA))?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let words_idx_data = fs::read(dict_dir.join(common::WORDS_IDX_DATA))?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let words_data = fs::read(dict_dir.join(common::WORDS_DATA))?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let connection_data = fs::read(dict_dir.join(common::CONNECTION_DATA))?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let char_definition_data = fs::read(dict_dir.join(common::CHAR_DEFINITION_DATA))?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let unknown_data = fs::read(dict_dir.join(common::UNKNOWN_DATA))?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
std::fs::write(&stop_words_path, b"\xEF\xBB\xBFthe\r\nand\r\n").unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let file = std::fs::File::open(path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let file = std::fs::File::open(path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
std::fs::write(&file_path, b"\xEF\xBB\xBFthe\r\nand\r\n").unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let ca_cert = std::fs::read(ca_cert_path)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let cert = std::fs::read(client_cert_path)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let key = std::fs::read(client_key_path)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let file = fs::File::open(user_dict.unwrap())?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut f = std::fs::File::create(&path).unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
std::fs::write(&path, "ignored").unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs::write(path.join("dummy.txt"), "test").unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
</> Dependencies
env_logger
rust dependencyexpand_more 3 low-confidence finding(s)
log::info!("a log from `MyLogger`");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
match std::env::var("RUST_LOG_STYLE") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env::var(&*self.name)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
flate2
rust dependencyexpand_more 9 low-confidence finding(s)
let mut input = BufReader::new(File::open(args().nth(1).unwrap()).unwrap());
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let output = File::create(args().nth(2).unwrap()).unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let input = BufReader::new(File::open(args().nth(1).unwrap()).unwrap());
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut output = File::create(args().nth(2).unwrap()).unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let f = File::open("examples/hello_world.txt")?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let f = File::create("examples/hello_world.txt.gz")?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let f = File::open("examples/hello_world.txt")?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let f = File::open("examples/hello_world.txt")?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let f = File::open("examples/hello_world.txt")?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
jieba-rs
rust dependencyexpand_more 3 low-confidence finding(s)
let path = Path::new(&env::var("OUT_DIR").unwrap()).join("hmm_prob.rs");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let hmm_file = File::open("src/data/hmm.model").expect("cannot open hmm.model");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut file = BufWriter::new(File::create(&path).unwrap());
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
libc
rust dependencyexpand_more 13 low-confidence finding(s)
let rustc_dep_of_std = env::var("CARGO_FEATURE_RUSTC_DEP_OF_STD").is_ok();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let libc_ci = env::var("LIBC_CI").is_ok();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let target_env = env::var("CARGO_CFG_TARGET_ENV").unwrap_or_default();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let target_os = env::var("CARGO_CFG_TARGET_OS").unwrap_or_default();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let target_ptr_width = env::var("CARGO_CFG_TARGET_POINTER_WIDTH").unwrap_or_default();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let target_arch = env::var("CARGO_CFG_TARGET_ARCH").unwrap_or_default();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let which_freebsd = if let Ok(version) = env::var("RUST_LIBC_UNSTABLE_FREEBSD_VERSION") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let musl_v1_2_3 = env::var("RUST_LIBC_UNSTABLE_MUSL_V1_2_3").is_ok();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let linux_time_bits64 = env::var("RUST_LIBC_UNSTABLE_LINUX_TIME_BITS64").is_ok();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env::var("RUST_LIBC_UNSTABLE_GNU_TIME_BITS"),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env::var("RUST_LIBC_UNSTABLE_GNU_FILE_OFFSET_BITS"),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let rustc = env::var_os("RUSTC").expect("Failed to get rustc version: missing RUSTC env");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut cmd = match env::var_os("RUSTC_WRAPPER") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
lindera
rust dependencyexpand_more 7 low-confidence finding(s)
File::open(
PathBuf::from(env!("CARGO_MANIFEST_DIR"))
.join("../resources")
.join("bocchan.txt"),
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
File::open(
PathBuf::from(env!("CARGO_MANIFEST_DIR"))
.join("../resources")
.join("bocchan.txt"),
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
File::open(
PathBuf::from(env!("CARGO_MANIFEST_DIR"))
.join("../resources")
.join("bocchan.txt"),
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
File::open(
PathBuf::from(env!("CARGO_MANIFEST_DIR"))
.join("../resources")
.join("bocchan.txt"),
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
File::open(
PathBuf::from(env!("CARGO_MANIFEST_DIR"))
.join("../resources")
.join("bocchan.txt"),
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut input_read = File::open(file_path)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if let Ok(config_path) = env::var("LINDERA_CONFIG_PATH") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
lindera-dictionary
rust dependencyexpand_more 21 low-confidence finding(s)
let (build_dir, is_cache) = if let Some(lindera_cache_dir) = env::var_os("LINDERA_CACHE") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
PathBuf::from(lindera_cache_dir).join(env::var_os("CARGO_PKG_VERSION").unwrap()),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
PathBuf::from(env::var_os("OUT_DIR").unwrap()), /* ex) target/debug/build/<pkg>/out */
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if std::env::var("DOCS_RS").is_ok() {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut dummy_char_def = File::create(input_dir.join("char.def"))?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut dummy_dict_csv = File::create(input_dir.join("dummy_dict.csv"))?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
File::create(input_dir.join("unk.def"))?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut dummy_matrix_def = File::create(input_dir.join("matrix.def"))?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut dest = File::create(tmp_path.as_path())?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut tar_gz = File::open(source_path_for_build)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
File::create(wtr_chardef_path)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
File::create(wtr_matrix_mtx_path)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let file = File::open(filename)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
File::create(dict_vals_path)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
File::create(dict_da_path)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
File::create(dict_words_path)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
File::create(dict_wordsidx_path)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
File::create(wtr_unk_path)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
File::create(output_file)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut input_read = File::open(filename)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let file = File::open(filename)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
lingua
rust dependencyexpand_more 11 low-confidence finding(s)
fs::write(report_file_path, report).expect("Reports file could not be written");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs::File::create(&report_file_path).expect("CSV file could not be created");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let file = File::open(input_file_path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let file = File::create(file_path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let input_file = File::open(input_file_path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let sentences_file = File::create(sentences_file_path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let input_file = File::open(input_file_path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let single_words_file = File::create(single_words_file_path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let word_pairs_file = File::create(word_pairs_file_path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let compressed_file = File::open(file_path).unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut test_data_file = File::open(file_path).unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
pinyin
rust dependencyexpand_more 2 low-confidence finding(s)
let path = Path::new(&env::var("OUT_DIR").unwrap()).join(name);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Ok(BufWriter::new(File::create(&path)?))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
reqwest
rust dependencyexpand_more 42 low-confidence finding(s)
log::debug!("rustls failed to parse DER certificate: {err:?}");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
let file = File::open(path).await?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let r = client.get(some_url);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let r = client.get(some_url);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let r = client.get(some_url);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let r = client.get(some_url);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let req = client
.get("https://hyper.rs")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let req = client
.get(some_url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let builder = client
.post("http://httpbin.org/post")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let builder = client.get("http://httpbin.org/get");
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let builder = client
.get("http://httpbin.org/get")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let req = client.get(some_url).build().expect("request build");
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
client.get("http://example.com")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let file = File::open(path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let r = client.get(some_url).build().unwrap();
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let r = client.post(some_url).build().unwrap();
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let r = client.put(some_url).build().unwrap();
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let r = client.post(some_url);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let r = client.post(some_url);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let r = client.post(some_url);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let r = client.post(some_url);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let mut r = client.get(some_url);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let mut r = client.get(some_url);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let mut r = client.get(some_url);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let mut r = client.get(some_url);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let r = client.post(some_url);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let r = client.post(some_url);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let r = client.post(some_url);
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let req = client
.get("https://hyper.rs")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let req = client
.get(some_url)
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let req = client.get(some_url).build().expect("request build");
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
log::debug!("proxy({proxy:?}) intercepts '{dst:?}'");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
log::debug!("starting new connection: {dst:?}");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
let raw = std::env::var("NO_PROXY")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
.or_else(|_| std::env::var("no_proxy"))
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
log::debug!("retryable but could not withdraw from budget");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
let pem_bundle = std::fs::read("tests/support/crl.pem").unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut req = client
.get("https://www.example.com")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let mut req = client
.get("https://www.example.com")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let mut req2 = client
.get("https://www.example.com/x")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let mut req = client
.get("https://www.example.com")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let mut req2 = client
.get("https://www.example.com")
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
scopeguard
rust dependencyexpand_more 1 low-confidence finding(s)
let f = File::create("newfile.txt").unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
serde_json
rust dependencyexpand_more 2 low-confidence finding(s)
let target_arch = env::var_os("CARGO_CFG_TARGET_ARCH").unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let target_pointer_width = env::var_os("CARGO_CFG_TARGET_POINTER_WIDTH").unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
tantivy
rust dependencyexpand_more 6 low-confidence finding(s)
let reader = match fs::File::open(path) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let file = File::open(full_path).map_err(|io_err| {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
match File::open(full_path) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs.write(self.path.clone(), self.data.get_ref());
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let exists = fs.write(path_buf.clone(), &[]);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
std::env::var("NUM_FUNCTIONAL_TEST_ITERATIONS")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
tar
rust dependencyexpand_more 4 low-confidence finding(s)
let file = File::create("foo.tar").unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
a.append_file("lib.rs", &mut File::open("src/lib.rs").unwrap())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
append_file(dst, ar_name, &mut fs::File::open(path)?, options)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
append_file(dst, &dest, &mut fs::File::open(src)?, options)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
tokio
rust dependencyexpand_more 6 low-confidence finding(s)
let std = asyncify(|| StdFile::open(path)).await?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let std_file = asyncify(move || StdFile::create(path)).await?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
asyncify(move || std::fs::read(path)).await
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
asyncify(move || std::fs::read_to_string(path)).await
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
asyncify(move || std::fs::write(path, contents)).await
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
match std::env::var(ENV_WORKER_THREADS) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
tonic
rust dependencyexpand_more 6 low-confidence finding(s)
tracing::debug!("connection task error: {:?}", e);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!("reconnect::poll_ready: {:?}", error);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!("error: {}", error);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!("errors occurred when loading native certs: {errors:?}");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(error = %e, "tls accept error");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(error = %e, "accept loop error");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
unicode-general-category
rust dependencyexpand_more 2 low-confidence finding(s)
let output_path = PathBuf::from(env::var("OUT_DIR").unwrap()).join("category.rs");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
File::create(path).unwrap_or_else(|_| panic!("unable to open {}", path.to_string_lossy()));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
zstd-sys
rust dependencyexpand_more 8 low-confidence finding(s)
let out_path = PathBuf::from(env::var_os("OUT_DIR").unwrap());
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if cfg!(feature = "no_asm") || std::env::var("CARGO_CFG_WINDOWS").is_ok() {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let need_wasm_shim = env::var("TARGET").map_or(false, |target| {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let dst = PathBuf::from(env::var_os("OUT_DIR").unwrap());
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
std::env::var("CARGO_CFG_TARGET_ARCH").unwrap_or_default();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let target_os = std::env::var("CARGO_CFG_TARGET_OS").unwrap_or_default();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
|| env::var_os("ZSTD_SYS_USE_PKG_CONFIG").is_some()
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env::var_os("CARGO_MANIFEST_DIR")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Skipped dependencies
Production
- github.com/klauspost/compress prod — module zip exceeds byte cap
- github.com/greatroar/blobloom prod — proxy 404
- github.com/milvus-io/milvus/client/v3 prod — proxy 404
- github.com/milvus-io/milvus/pkg/v3 prod — proxy 404
- google.golang.org/api prod — module zip exceeds byte cap
- github.com/milvus-io/milvus/client/v2 prod — proxy 404
- github.com/huaweicloud/huaweicloud-sdk-go-v3 prod — module zip exceeds byte cap
- tantivy-5 prod — no version pinned