Close Open Privacy Scan
App Privacy Score
Coverage too low to score · 418 finding(s)
bar_chart Score Breakdown
list Scan Summary
swap_horiz Application data flows
Not enough of this repository was analyzed to look for application data flows. Absence of findings here is not evidence of a clean result.
</> First-Party Code
first-party (rust): experimental/sgl-router
rust first-partyexpand_more 69 low-confidence finding(s)
tracing::warn!(error = ?e, "k8s watcher error; awaiting auto-restart");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!("k8s discovery: event channel closed; exiting watcher");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!("k8s watcher stream ended; discovery task exiting");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
K8sDiscoveryMode::Plain { label_selector } => tracing::info!(
namespace = %namespace_display,
label_selector = %label_selector,
"k8s discovery starting (plain mode); a wrong namespace or selector matches zero EndpointSlices"
),
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
} => tracing::info!(
namespace = %namespace_display,
prefill_selector = %prefill_selector,
decode_selector = %decode_selector,
"k8s discovery starting (PD mode); a wrong namespace or selector matches zero EndpointSlices"
),
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(
"static_urls discovery: event channel closed during fan-out; exiting"
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(
"static_urls discovery: initial fan-out complete; parking until channel closes"
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(
"static_urls discovery: event channel closed by receiver \
(worker manager dropped its end, or shutdown abort raced); exiting"
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(
default_level = %default_level,
?format,
error = %e,
"tracing subscriber already installed; continuing"
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(
"sgl-router {} starting on {}:{}",
env!("CARGO_PKG_VERSION"),
cfg.server.host,
cfg.server.port
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!("listening on {bind}");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
request_id = %id,
worker = %entry.worker,
prefill_load = entry.prefill_load,
decode_load = entry.decode_load,
"stale request swept by active-load janitor",
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(
model = %ctx.model(),
hashing = if is_bigram { "bigram" } else { "unigram" },
n_blocks = block_hashes.len(),
matched_blocks = matched.matched_blocks,
match_rate,
cache_threshold = self.config.cache_threshold,
"cache-aware-zmq match_prefix",
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(
model = %ctx.model(),
match_rate,
cache_threshold = self.config.cache_threshold,
"cache-aware-zmq: overlap below threshold, falling back to min-load",
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(
model = %ctx.model(),
worker = %w.url,
matched_blocks = matched.matched_blocks,
"cache-aware-zmq: selected worker by cache overlap",
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
established_bigram = existing == BIGRAM_BIGRAM,
worker_bigram = is_bigram,
"kv-events: worker hashing mode (bigram/EAGLE) disagrees with the \
established cluster value; keeping the first. A heterogeneous \
EAGLE/non-EAGLE cluster will silently never match cache for the \
minority workers — check that all workers run the same model.",
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
worker_url = %worker_url,
speculative_algorithm = %algo,
"kv-events: unrecognized EAGLE-like speculative_algorithm; treating as \
non-bigram (unigram) hashing. If this is an EAGLE-family algorithm, \
cache-aware routing will silently never match — add it to classify_bigram",
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
model = %model_id,
error = %e,
"ingress tokenize failed; routing/forwarding skips this prompt",
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(
"StickyPolicy constructed outside a Tokio runtime; idle eviction is disabled"
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
upstream = %url,
status = %status,
error = ?e,
"upstream dropped connection mid-body",
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(error = %msg, "upstream SSE stream errored mid-flight");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!("SSE client disconnected mid-stream");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!(error = %msg, "SSE pump task panicked");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
%method,
%uri,
"request rejected with 413 PAYLOAD_TOO_LARGE (body exceeded route limit)",
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!("internal error serving request: {e:#}");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
upstream = %worker,
error = %format_args!("{source:#}"),
"upstream worker unreachable",
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
upstream_status = %status,
"upstream returned an error status",
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(upstream = %worker, "upstream request timed out");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(model = %model, reason = "no_healthy_workers", "service unavailable");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
model = %model,
reason = "no_prefill_workers_available",
"service unavailable",
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
model = %model,
reason = "no_decode_workers_available",
"service unavailable",
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
model = %model,
reason = "stale_request_expired",
"stale-request janitor expired in-flight request",
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(model = %model, reason = "policy_selection_failed", "service unavailable");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(upstream = %worker, reason = "breaker_open", "service unavailable");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!(
upstream = %worker,
error = %format_args!("{source:#}"),
"worker URL emitted by discovery is malformed",
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!("flush_cache called but no workers are registered");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(total_workers, "flush_cache: all workers flushed");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
total_workers,
succeeded = successful.len(),
failed = failed.len(),
"flush_cache: some workers failed to flush",
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
decode_url = %url,
error = %e,
"decode worker URL rejected by header parser; sending request without decode hint",
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
Ok(_) => tracing::debug!(
prefill_url = %prefill_url,
bootstrap_room,
"prefill side completed",
),
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
Err(e) => tracing::warn!(
prefill_url = %prefill_url,
bootstrap_room,
error = %e,
"prefill request failed; decode will time out on bootstrap_room",
),
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(
request_id = %request_id,
method = "POST",
path = "/v1/chat/completions",
model = %metrics_model,
worker = %metrics_worker_url,
outcome = outcome_str,
http_status,
stream = streaming,
latency_ms = elapsed.as_millis() as u64,
"chat_completions",
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
decode_url = %url,
error = %e,
"decode worker URL rejected by header parser on response; omitting response-side hint",
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(error = %e, "chat-completions body rejected as non-object JSON");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(error = %e, "chat-completions request-probe deserialize failed");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!(
route = "/v1/tokenize",
model = %req.model,
prompt_len = req.prompt.len(),
error = ?e,
"tokenize.encode failed",
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!(
route = "/v1/detokenize",
model = %req.model,
n_tokens = req.tokens.len(),
skip_special = req.skip_special_tokens,
error = ?e,
"detokenize.decode_complete failed",
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(repo = %source, error = %e,
"could not download tokenizer_config.json; chat-template routing disabled for this model \
(expected if the repo ships none — otherwise check HF_TOKEN / network for a gated or private repo)");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
let bytes = std::fs::read(&path)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
tracing::debug!(
n_tokens = ids.len(),
trailing_bytes = s.len(),
"decode_complete: tokenizer returned Partial for non-streaming call"
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(model = %model_id, %cause,
"chat-encoder failed; falling back to raw prompt-text hashing \
(cache-aware overlap degrades for this model; further failures log at debug)");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(model = %model_id, %cause,
"chat-encoder failed; falling back to raw prompt-text hashing");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(model = %model_id,
"chat-template routing enabled; chat requests route by templated tokens");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
Err(e) => tracing::warn!(model = %model_id, error = %e,
"failed to compile chat template; falling back to built-in detection"),
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
Err(e) => tracing::warn!(model = %model_id, error = %e,
"failed to load tokenizer_config.json; falling back to built-in detection"),
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(model = %model_id,
"DeepSeek-V4 routing enabled; chat requests route via the built-in V4 encoder");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(model = %model_id,
"no chat template or built-in encoder; chat traffic routes via raw prompt text");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
std::fs::write(&tok, "{}").unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
std::fs::write(
dir.path().join("tokenizer_config.json"),
r#"{"chat_template":"X","bos_token":"<s>"}"#,
)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
std::fs::write(&tok, "{}").unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
tracing::info!("discovery: +worker {} ({:?})", spec.id, spec.mode);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!("discovery: -worker {id}");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
id = %id,
"discovery: Removed without a known URL; kv-events state (if any) not cleared",
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!("discovery: ~worker {id} mode→{mode:?}");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
id = %id,
mode = ?mode,
"discovery: ModeChanged for unknown worker — out-of-order event from backend",
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(
worker_id = %id,
worker_url = %worker.url,
"reconcile: re-introspecting worker that registered without model_ids",
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(
worker_url = %worker_url,
backend_mode = ?spec.mode,
resolved_mode = ?new_mode,
backend_bootstrap_port = ?spec.bootstrap_port,
resolved_bootstrap_port = ?new_port,
"/server_info overrode discovery-backend classification",
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!(
worker_url = %worker_url,
error = %e,
"worker manager: refused to register worker due to mixed PD/plain configuration",
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
worker_url = %url,
"Failed to parse worker URL for bootstrap_host; defaulting to 'localhost'"
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
first-party (rust): rust/sglang-grpc
rust first-partyexpand_more 26 low-confidence finding(s)
std::path::PathBuf::from(std::env::var("OUT_DIR").unwrap())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
tracing::warn!(mutex = name, "Recovering from poisoned gRPC bridge mutex");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(affected, "gRPC abort_all cleared active response channels");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(rid, "Ignoring abort for inactive gRPC request id");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(rid, "gRPC on_ready callback failed: {}", err);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
rid,
"gRPC bridge received another chunk before the parked chunk drained; closing stream"
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!("{}.{} is unavailable: {}", context, attr, err);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!("Could not extract {}.{} as string: {}", context, attr, err);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!("Could not extract {}.{} as i32: {}", context, attr, err);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!("Could not extract tokenizer path; Rust tokenizer disabled");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!("Could not extract model_config.context_len; defaulting to 0");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
default = DEFAULT_RESPONSE_CHANNEL_CAPACITY,
"response_channel_capacity must be positive; using default"
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
default = server::DEFAULT_RESPONSE_TIMEOUT_SECS,
"response_timeout_secs must be positive; using default"
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!("gRPC server exited with error: {}", e);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
match std::env::var("SGLANG_TONIC_PAYLOAD") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
tracing::info!(
bytes = n,
"Using SGLANG_TONIC_PAYLOAD override for gRPC max message size"
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
value = %raw,
default = DEFAULT_GRPC_MAX_MESSAGE_SIZE,
"Ignoring invalid SGLANG_TONIC_PAYLOAD; using default"
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
rid,
"Skipping gRPC request abort because no Tokio runtime is available"
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
rid,
"Unary gRPC response received non-terminal Data chunk; expected Finished"
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
"Received abort_all over gRPC; this endpoint must only be exposed to trusted clients"
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!("gRPC server listening on {}", addr);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!("gRPC server shutting down");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(
"Rust tokenizer disabled because tokenizer_mode=slow for {:?}",
path
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(
"Rust tokenizer loaded via {} from {:?} (context_len={})",
tokenizer.backend_name(),
tokenizer_json,
context_len
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
"Failed to load Rust tokenizer from {:?}: {}. Falling back to Python.",
tokenizer_json,
e
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!("Failed to parse model info JSON: {}", err);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
first-party (rust): sgl-model-gateway
rust first-partyexpand_more 53 low-confidence finding(s)
let target = std::env::var("TARGET").unwrap_or_else(|_| get_rustc_host().unwrap_or_default());
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let profile = std::env::var("PROFILE").unwrap_or_default();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let content = std::fs::read_to_string("Cargo.toml")?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let cert = std::fs::read(cert_path).map_err(|e| ConfigError::ValidationFailed {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let key = std::fs::read(key_path).map_err(|e| ConfigError::ValidationFailed {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let cert = std::fs::read(path).map_err(|e| ConfigError::ValidationFailed {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let cert = std::fs::read(cert_path).map_err(|e| ConfigError::ValidationFailed {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let key = std::fs::read(key_path).map_err(|e| ConfigError::ValidationFailed {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let contents = std::fs::read_to_string(mcp_config_path).map_err(|e| {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
tracing::warn!("Success recorded while circuit is open");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
"Failed to parse URL '{}', defaulting to localhost",
metadata_url
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
"Failed to parse URL '{}', defaulting to localhost",
metadata_url
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
worker_url = %self.url,
routing_key = %routing_key,
"Attempted to decrement routing key counter that is already at 0"
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
worker_url = %self.url,
routing_key = %routing_key,
"Attempted to decrement non-existent routing key"
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
worker_url = %self.metadata.url,
"Attempted to decrement load counter that is already at 0"
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(
"Setting {} models for worker {} via lazy discovery",
models.len(),
self.metadata.url
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(
"Lazily initializing gRPC client ({}) for worker: {}",
runtime_str,
self.metadata.url
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(
"Successfully connected gRPC client ({}) for worker: {}",
runtime_str,
self.metadata.url
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!(
"Failed to connect gRPC client for worker {}: {}",
self.metadata.url,
e
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(
"reset_grpc_client called for {} (no-op with OnceCell)",
self.metadata.url
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(
"gRPC health OK for {}: healthy={}",
self.metadata.url,
resp.healthy
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!("gRPC health RPC error for {}: {err:?}", self.metadata.url);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!("gRPC health timed out for {}", self.metadata.url);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
"HTTP health check returned non-success status for {}: {}",
health_url,
status
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!("HTTP health check failed for {}: {err:?}", health_url);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!("Registry health checker shutting down");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!("Invalid mesh server address, so mesh server will not be started");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
match std::env::var("SGLANG_LOG_MS") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
tracing::debug!(
"Request to {} completed with success={}",
worker_url,
success
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!("Failed to send event (likely client disconnect): {}", e);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
channel = "commentary",
recipient = ?recipient,
"Commentary message without valid recipient, treating as reasoning"
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
"Model generated Tool->Assistant message instead of Assistant message. \
This is a model hallucination bug where it copies tool result format."
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(
"No reasoning parser found for model '{}', skipping reasoning parsing",
chat_request.model
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(
"No tool parser found for model '{}', skipping tool call parsing",
chat_request.model
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
"Failed to parse decode error body as JSON from {}: {} \
(status={}, body preview: {:?})",
decode.url(),
parse_err,
status.as_u16(),
preview
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!(
url = %url,
error = %e,
"Failed to forward request to OpenAI"
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(
"Client disconnected during /responses persistence \
stream from {}; continuing to drain upstream for \
storage",
upstream_url
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(
"Client disconnected before next tool-call iteration to {}, cancelling",
url_clone
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!(
"Failed to send /responses tool-interception request to {}: {}",
url_clone,
e
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!(
"Upstream /responses tool-interception non-success from {}: status={} \
body={}",
url_clone,
status,
body
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!(
"Upstream /responses tool-interception stream error from {}: {}",
url_clone,
e
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(
"Model refresh: found {} models from {}",
model_cards.len(),
url
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!("Failed to parse models response: {}", e);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(
"Model refresh returned non-success status {} from {}",
response.status(),
url
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!("Failed to fetch models from backend: {}", e);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(
"Refreshing models for {} external workers",
external_workers.len()
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(
"No worker found for model '{}', refreshing external worker models",
model_id
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!(
"Failed to deserialize message content: {}",
e
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!(
"Failed to deserialize function_call: {}",
e
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(
"Loading function_call_output from DB - content: {}",
serde_json::to_string_pretty(&item.content)
.unwrap_or_else(|_| "failed to serialize".to_string())
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(
"Successfully deserialized function_call_output"
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!(
"Failed to deserialize function_call_output: {}",
e
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!("Mesh server failed: {}", e);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
first-party (rust): sgl-model-gateway/bindings/golang
rust first-partyexpand_more 1 low-confidence finding(s)
tracing::warn!("Tool parser error: {}", e);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
</> Dependencies
apache-tvm-ffi
rust dependencyexpand_more 8 low-confidence finding(s)
if env::var("CARGO_PKG_NAME").unwrap() == "tvm-ffi" {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let os_env_var = match env::var("CARGO_CFG_TARGET_OS").as_deref() {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let current_val = env::var(os_env_var).unwrap_or_else(|_| String::new());
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let is_rustdoc = env::var("RUSTDOC").is_ok() || env::var("CARGO_CFG_DOC").is_ok();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let is_example_build = env::var("CARGO_FEATURE_EXAMPLE").is_ok();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let output_dir = env::var("OUT_DIR").unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let os_env_var = match env::var("CARGO_CFG_TARGET_OS").as_deref() {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let current_val = env::var(os_env_var).unwrap_or_else(|_| String::new());
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fastokens
rust dependencyexpand_more 13 low-confidence finding(s)
let json: TokenizerJson = serde_json::from_str(&std::fs::read_to_string(json_path)?)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let text = std::fs::read_to_string(&json_path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let text = std::fs::read_to_string("outputs.txt").context("failed to read outputs.txt")?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let text = std::fs::read_to_string(&json_path)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
std::fs::File::create(path)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let json = std::fs::read_to_string(path)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let json: TokenizerJson = serde_json::from_str(&fs::read_to_string(path)?)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let raw = fs::read_to_string(json_path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Ok(fs::read_to_string(json_path)?)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let json: TokenizerJson = serde_json::from_str(&fs::read_to_string(json_path).unwrap())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
serde_json::from_str(&fs::read_to_string(lb_path).unwrap()).unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
serde_json::from_str(&fs::read_to_string(sg_path).unwrap()).unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let progress = std::env::var("EXTENDED_PROGRESS").is_ok();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
granian
rust dependencyexpand_more 17 low-confidence finding(s)
log::warn!("Unsupported websocket message received {v:?}");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
log::info!("ASGI transport error: {err:?}");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
let res = match File::open(&file_path).await {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
log::info!("Cannot open file {}", &file_path);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
log::info!("Failed to close websocket with error {err:?}");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
match File::open(&path).await {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
log::info!("Request static file {path} not found");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
log::warn!("Unsupported websocket message received {v:?}");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
match File::open(&self.file_path).await {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
log::info!("Cannot open file {}", &self.file_path);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
match File::open(&self.file_path).await {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
log::error!("Cannot seek to position {} in file {}", self.start, &self.file_path);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
log::info!("Cannot open file {}", &self.file_path);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
let content = fs::read(filename).expect("cannot load key");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs::File::open(filename).expect("cannot load key"),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
log::error!("Application callable raised an exception\n{errs}");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
log::error!("WSGI protocol failure");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
libc
rust dependencyexpand_more 12 low-confidence finding(s)
let target_env = env::var("CARGO_CFG_TARGET_ENV").unwrap_or_default();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let target_os = env::var("CARGO_CFG_TARGET_OS").unwrap_or_default();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let target_ptr_width = env::var("CARGO_CFG_TARGET_POINTER_WIDTH").unwrap_or_default();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let target_arch = env::var("CARGO_CFG_TARGET_ARCH").unwrap_or_default();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let which_freebsd = if let Ok(version) = env::var("RUST_LIBC_UNSTABLE_FREEBSD_VERSION") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let linux_time_bits64 = env::var("RUST_LIBC_UNSTABLE_LINUX_TIME_BITS64").is_ok();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env::var("RUST_LIBC_UNSTABLE_GNU_TIME_BITS"),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env::var("RUST_LIBC_UNSTABLE_GNU_FILE_OFFSET_BITS"),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let rustc = env::var_os("RUSTC").expect("Failed to get rustc version: missing RUSTC env");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut cmd = match env::var_os("RUSTC_WRAPPER") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let version = env::var("WIND_RELEASE_ID").ok()?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
match env::var(key) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
llguidance
rust dependencyexpand_more 16 low-confidence finding(s)
let content = std::fs::read_to_string(path).unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let content = std::fs::read_to_string(&baseline_file)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
std::fs::write(&baseline_file, &json)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if let Ok(jsb_data) = std::env::var("JSB_DATA") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
File::create(filename).unwrap_or_else(|_| panic!("Unable to create file {filename}"));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
File::create(filename).unwrap_or_else(|_| panic!("Unable to create file {filename}"));
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut file = File::open(filename)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let crate_dir = env::var("CARGO_MANIFEST_DIR").unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let existing = std::fs::read_to_string(&header_path).unwrap_or_default();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
std::fs::write(&header_path, &filtered).expect("Failed to write llguidance.h");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if let Ok(out_dir) = env::var("OUT_DIR") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let val = defs.get(key).unwrap();
Data is sent to a hardcoded external endpoint; review what leaves the process.
Fix: Verify the destination and that only non-sensitive data is sent; pin and audit the dependency.
let mut file = File::open(filename).expect("Unable to open file");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut file = File::open(filename).expect("Unable to open file");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
log::warn!("error: {e} for {tok_name:?}");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
log::warn!("missing token: {tok_id}");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
openai-harmony
rust dependencyexpand_more 6 low-confidence finding(s)
std::fs::read_to_string(path)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if let Ok(base_dir) = std::env::var(TIKTOKEN_ENCODINGS_BASE_VAR) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let file = std::fs::File::open(path)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let cache_dir_override = std::env::var("TIKTOKEN_RS_CACHE_DIR").ok();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let file = File::open(file_path)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let file = File::create(destination)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
openmetrics-parser
rust dependencyexpand_more 2 low-confidence finding(s)
let child_str = fs::read_to_string(child_path);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let child_str = fs::read_to_string(&path).unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
openssl
rust dependencyexpand_more 6 low-confidence finding(s)
if env::var("DEP_OPENSSL_LIBRESSL").is_ok() {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if env::var("DEP_OPENSSL_BORINGSSL").is_ok() {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if env::var("DEP_OPENSSL_AWSLC").is_ok() {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if let Ok(v) = env::var("DEP_OPENSSL_LIBRESSL_VERSION_NUMBER") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if let Ok(vars) = env::var("DEP_OPENSSL_CONF") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if let Ok(version) = env::var("DEP_OPENSSL_VERSION_NUMBER") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
orjson
rust dependencyexpand_more 106 low-confidence finding(s)
if python_config.is_free_threaded() && std::env::var("ORJSON_BUILD_FREETHREADED").is_err() {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env::var("COUNTS")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if env::var("CI").is_ok() {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
debug: match std::env::var_os("CC_ENABLE_DEBUG_OUTPUT") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut f = fs::File::create(&src)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let r = env::var_os(v);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let rustc = std::env::var("RUSTC").unwrap_or_else(|_| "rustc".to_string());
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let rustc = std::env::var("RUSTC").unwrap_or_else(|_| "rustc".to_string());
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
std::env::var_os(key)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env::var_os(name).map(Env::Owned)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
match std::env::var("VisualStudioVersion") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut version_file = if let Ok(f) = File::open(&version_path) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
File::open(version_path).ok()?
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let file = File::open(path).map_err(|e| Error::io(e).path(path))?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let var = std::env::var_os(name)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let file = File::open(path).map_err(|e| Error::io(e).path(path))?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let Some(val) = std::env::var_os(ENV) else { return Ok(()) };
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if let Some(tzdir) = std::env::var_os("TZDIR") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
File::open(path).map_err(|e| Error::io(e).path(path))?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut f = match File::open(path) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let Some(val) = std::env::var_os(ENV) else { return Ok(()) };
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let Some(tzenv) = std::env::var_os("TZ") else { return Ok(None) };
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let data = std::fs::read(path)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let Some(val) = std::env::var_os(ENV) else { return Ok(()) };
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
std::fs::read(&val).with_context(|| alloc::format!("{val:?}"))?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let Ok(bytes) = std::fs::read(dent.path()) else { continue };
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let file = match File::open(path) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let data = std::fs::read(path)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let target_env = env::var("CARGO_CFG_TARGET_ENV").unwrap_or_default();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let target_os = env::var("CARGO_CFG_TARGET_OS").unwrap_or_default();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let target_ptr_width = env::var("CARGO_CFG_TARGET_POINTER_WIDTH").unwrap_or_default();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let target_arch = env::var("CARGO_CFG_TARGET_ARCH").unwrap_or_default();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let which_freebsd = if let Ok(version) = env::var("RUST_LIBC_UNSTABLE_FREEBSD_VERSION") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let linux_time_bits64 = env::var("RUST_LIBC_UNSTABLE_LINUX_TIME_BITS64").is_ok();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env::var("RUST_LIBC_UNSTABLE_GNU_TIME_BITS"),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env::var("RUST_LIBC_UNSTABLE_GNU_FILE_OFFSET_BITS"),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let rustc = env::var_os("RUSTC").expect("Failed to get rustc version: missing RUSTC env");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut cmd = match env::var_os("RUSTC_WRAPPER") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let version = env::var("WIND_RELEASE_ID").ok()?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
match env::var(key) {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let rustc = env::var_os("RUSTC").unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let target = &*env::var("TARGET").expect("TARGET not set");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let target_arch = &*env::var("CARGO_CFG_TARGET_ARCH").expect("CARGO_CFG_TARGET_ARCH not set");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let target_os = &*env::var("CARGO_CFG_TARGET_OS").expect("CARGO_CFG_TARGET_OS not set");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if env::var_os("PORTABLE_ATOMIC_DENY_WARNINGS").is_some() {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let sanitize = env::var("CARGO_CFG_SANITIZE").unwrap_or_default();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let is_apple = env::var("CARGO_CFG_TARGET_VENDOR").unwrap_or_default() == "apple";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let is_apple = env::var("CARGO_CFG_TARGET_VENDOR").unwrap_or_default() == "apple";
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if env::var_os("PORTABLE_ATOMIC_DENY_WARNINGS").is_some() {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
pwr8_features = env::var("CARGO_CFG_TARGET_ENDIAN")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if let Some(rustflags) = env::var_os("CARGO_ENCODED_RUSTFLAGS") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let rustflags = env::var_os("CARGO_ENCODED_RUSTFLAGS")?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if env::var_os("RUSTC_STAGE").is_some() {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if let Some(rustflags) = env::var_os("CARGO_ENCODED_RUSTFLAGS") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let rustc = env::var_os("RUSTC")?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let rustc_wrapper = if env::var_os("CARGO_ENCODED_RUSTFLAGS").is_some() {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env::var_os("RUSTC_WRAPPER").filter(|v| !v.is_empty())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let nightly = match env::var_os("RUSTC_BOOTSTRAP") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if env::var_os("PORTABLE_ATOMIC_DENY_WARNINGS").is_some() {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
&& env::var("CARGO_CFG_TARGET_OS").expect("CARGO_CFG_TARGET_OS not set") == "hermit"
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let sanitize = env::var("CARGO_CFG_SANITIZE").unwrap_or_default();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let rustc = env::var_os("RUSTC")?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let rustc_wrapper = if env::var_os("CARGO_ENCODED_RUSTFLAGS").is_some() {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env::var_os("RUSTC_WRAPPER").filter(|v| !v.is_empty())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let nightly = match env::var_os("RUSTC_BOOTSTRAP") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
} else if let Some(rustc_bootstrap) = env::var_os("RUSTC_BOOTSTRAP") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env::var_os("RUSTC_STAGE").is_none() && do_compile_probe(feature, rustc_bootstrap)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env::var_os("RUSTC_STAGE").is_some() || do_compile_probe(feature, true)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let rustc_wrapper = env::var_os("RUSTC_WRAPPER").filter(|wrapper| !wrapper.is_empty());
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env::var_os("RUSTC_WORKSPACE_WRAPPER").filter(|wrapper| !wrapper.is_empty());
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if let Some(target) = env::var_os("TARGET") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if let Ok(rustflags) = env::var("CARGO_ENCODED_RUSTFLAGS") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env::var_os(key).unwrap_or_else(|| {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let target = Path::new(&env::var_os("OUT_DIR").unwrap()).join(name);
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
.to_writer(&mut std::fs::File::create(&target).with_context(|| {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
std::fs::File::create(&target)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if std::env::var("CARGO_FEATURE_RESOLVE_CONFIG").is_ok() {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env::var_os(var).map(|os_string| os_string.to_str().unwrap().into())
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env::var_os(var)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env::var("TARGET")
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let config_file = std::fs::File::open(path)
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut script = fs::read_to_string(sysconfigdata_path).with_context(|| {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env::var_os("OUT_DIR").expect("generate_import_lib() must be called from a build script");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env::var_os("TARGET").map(|target| {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
interpreter_config.to_writer(&mut std::fs::File::create(&path).with_context(
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let rustc = env::var_os("RUSTC")?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if std::env::var("UNSAFE_PYO3_SKIP_VERSION_CHECK").as_deref() == Ok("1") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let rustc = env::var_os("RUSTC")?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let out_dir = PathBuf::from(env::var_os("OUT_DIR").unwrap());
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let patch_version = env::var("CARGO_PKG_VERSION_PATCH").unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs::write(out_dir.join("private.rs"), module).unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let rustc = env::var_os("RUSTC")?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let out_dir = PathBuf::from(env::var_os("OUT_DIR").unwrap());
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let patch_version = env::var("CARGO_PKG_VERSION_PATCH").unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
fs::write(out_dir.join("private.rs"), module).unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let target = env::var("TARGET").unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let rustc = env::var_os("RUSTC")?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let target_arch = env::var_os("CARGO_CFG_TARGET_ARCH").unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let target_pointer_width = env::var_os("CARGO_CFG_TARGET_POINTER_WIDTH").unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let content = fs::read_to_string(FILE).unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let content = fs::read_to_string(path).unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env::var_os("OUT_DIR").expect("The OUT_DIR environment variable must be set"),
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let target = env::var("TARGET").expect("The TARGET environment variable must be set");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let out = File::create(out_dir.join("host.rs")).expect("error creating host.rs");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let rustc = env::var_os("RUSTC").unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
env::var_os(key).unwrap_or_else(|| {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
py-spy
rust dependencyexpand_more 9 low-confidence finding(s)
let target_arch = env::var("CARGO_CFG_TARGET_ARCH").unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let target_os = env::var("CARGO_CFG_TARGET_OS").unwrap();
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let file = File::open(filename)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if std::env::var("PYSPY_ALLOW_FREEBSD_ATTACH").is_err() {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut file = File::open(filename)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let contents = std::fs::read_to_string(filename)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
let mut out_file = std::fs::File::create(&filename)?;
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if let Ok(sudo_uid) = std::env::var("SUDO_UID") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
if let Ok(cgroups) = std::fs::read_to_string("/proc/self/cgroup") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
redis
rust dependencyexpand_more 1 low-confidence finding(s)
let redis_url = match env::var("REDIS_URL") {
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
rmcp
rust dependencyexpand_more 60 low-confidence finding(s)
tracing::warn!("Failed to send progress notification: {e}");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!("client initialized");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!("trying to set peer info, which is already initialized");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(?peer_info, "Service initialized as client");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(?peer_info, "Service initialized as server");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(id = %param.request_id, reason = param.reason, "cancelled");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!(%error, "fail to response message");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(%id, ?request, "received request");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(%id, ?result, "response message");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(%id, ?error, "response error");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(?notification, "received notification");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(id = %cancelled.params.request_id, reason = cancelled.params.reason, "cancelled");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(%error, "Error sending notification");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(%id, "Error sending response");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(%id, "Error sending response");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!(%e, "fail to close sink");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(?quit_reason, "serve finished");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(?error, "Handle logging before handshake failed.");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
_ => tracing::warn!(?message, "Received unexpected message"),
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!("Error reading from stream: {}", e);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(
"Failed to parse message {}: {} | Error: {}",
context,
line_str,
e
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!("Error reading from stream: {}", e);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!("Error killing child process: {}", e);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(%id, "sse stream error: {error}");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!("sse stream error: {error}");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(last_event_id=%last_id, "failed to deserialize server message: {e}");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!("sse stream terminated");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!("retry sse stream error: {e}");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!("sse stream error: {e}, max retry times reached");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!("this server doesn't support deleting session");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!("unexpected content type: {:?}", content_type);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!("Internal server error when {context}: {error}");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
uri = %self.uri,
last_event_id = last_event_id.unwrap_or(""),
"sse stream error: {error}"
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(session_id, ?parts, ?message, "new client message");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!("send message error");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(%session, ?parts, "sse connection");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!("send transport out error");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(%session_id, "Closed session and cleaned up resources");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!("sse server cancelled");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!(error = %e, "sse server shutdown with error");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!("got response, closing sse stream");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(session_id = session_id.as_ref(), "delete session success")
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(
session_id = session_id.as_ref(),
"server doesn't support delete session"
)
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!(
session_id = session_id.as_ref(),
"fail to delete session: {e}"
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!("got common stream");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!("server doesn't support sse, skip common stream");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!("fail to get common stream: {e}");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(
"sse client event stream terminated with error: {:?}",
result
);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(http_request_id, "close http request wise channel");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(http_request_id, "http request wise channel not found");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!(http_request_id, "establish new request wise channel");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::warn!(?error, "failed to send message to http service handler");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(session_id = ?id, "create new session");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!("Failed to create service: {e}");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!("Failed to close session {session_id}: {e}");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!(?message);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!("worker quit with reason: {:?}", e);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!("worker quit with join error: {:?}", e);
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::error!("worker quit with fatal: {error}, when {context}");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::debug!("worker quit");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing-appender
rust dependencyexpand_more 13 low-confidence finding(s)
let file = fs::read_to_string(&path).expect("Failed to read file");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
tracing::info!("file 1");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!("file 1");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!("file 2");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!("file 2");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
let file = fs::read_to_string(&path).expect("Failed to read file");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
tracing::info!("file 1");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!("file 1");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!("file 2");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!("file 2");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!("file 3");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
tracing::info!("file 3");
A telemetry/analytics SDK is used; event data is sent to a third-party collector.
Fix: Ensure user consent and a lawful basis; strip PII from event payloads.
let file = fs::read_to_string(&path).expect("Failed to read file");
Reads environment variables or the filesystem — an inventory-level capability, not a leak on its own.
Fix: Usually benign; confirm any secret read here is not later sent externally.
Skipped dependencies
Production
- cuda-python prod — no sdist (wheels only)
- decord2 prod — no sdist (wheels only)
- nvidia-cutlass-dsl prod — no sdist (wheels only)
- nvidia-mathdx prod — no sdist (wheels only)
- pillow prod — sdist exceeds byte cap
- scipy prod — sdist exceeds byte cap
- sgl-deep-gemm prod — no sdist (wheels only)
- sglang-kernel prod — no sdist (wheels only)
- tilelang prod — sdist exceeds byte cap
- tokenspeed_mla prod — no sdist (wheels only)
- torch prod — no sdist (wheels only)
- torchao prod — no sdist (wheels only)
- torchaudio prod — no sdist (wheels only)
- torchcodec prod — no sdist (wheels only)
- torchvision prod — no sdist (wheels only)
- runai-model-streamer prod — no sdist (wheels only)
- cache-dit prod — no sdist (wheels only)
- moviepy prod — sdist exceeds byte cap
- nvidia-modelopt prod — no sdist (wheels only)
- opencv-python-headless prod — sdist exceeds byte cap
- runai_model_streamer prod — no sdist (wheels only)
- st_attn prod — no sdist (wheels only)
- vsa prod — no sdist (wheels only)
- ray prod — no sdist (wheels only)
- sglang prod — no sdist (wheels only)
- triton prod — no sdist (wheels only)
- mooncake-transfer-engine-non-cuda prod — no sdist (wheels only)
- amd-sglang prod — no python source in sdist
- petit_kernel prod — no sdist (wheels only)
- wave-lang prod — no sdist (wheels only)
- torch_musa prod — pypi 404
- mthreads-ml-py prod — no sdist (wheels only)
- flash_attn_3 prod — no sdist (wheels only)
- github.com/sglang/sglang-go-grpc-sdk prod — proxy 404
- dynamo-protocols prod — no version pinned
- dynamo-tokenizers prod — no version pinned
- dynamo-parsers prod — no version pinned
- tokio prod — cdn 403
- axum prod — cdn 403
- tower prod — cdn 403
- tower-http prod — cdn 403
- serde prod — cdn 403
- reqwest prod — cdn 403
- serde_json prod — cdn 403
- hf-hub prod — cdn 403
- minijinja prod — cdn 403
- chrono prod — cdn 403
- minijinja-contrib prod — cdn 403
- anyhow prod — cdn 403
- thiserror prod — cdn 403
- clap prod — cdn 403
- tracing prod — cdn 403
- tracing-subscriber prod — cdn 403
- futures prod — cdn 403
- bytes prod — cdn 403
- rand prod — cdn 403
- tokio-stream prod — cdn 403
- dashmap prod — cdn 403
- kube prod — cdn 403
- tokio-util prod — cdn 403
- uuid prod — cdn 403
- k8s-openapi prod — cdn 403
- rmp-serde prod — cdn 403
- sha2 prod — cdn 403
- parking_lot prod — cdn 403
- url prod — cdn 403
- zeromq prod — cdn 403
- pyo3 prod — cdn 403
- tonic prod — cdn 403
- prost prod — cdn 403
- tokenizers prod — cdn 403
- async-stream prod — cdn 403
- http-body prod — cdn 403
- futures-util prod — cdn 403
- blake3 prod — cdn 403
- xxhash-rust prod — cdn 403
- bytemuck prod — cdn 403
- async-trait prod — cdn 403
- tracing-log prod — cdn 403
- opentelemetry prod — cdn 403
- opentelemetry_sdk prod — cdn 403
- opentelemetry-otlp prod — cdn 403
- tracing-opentelemetry prod — cdn 403
- regex prod — cdn 403
- memchr prod — cdn 403
- reasoning-parser prod — invalid crate version
- openai-protocol prod — invalid crate version
- tool-parser prod — invalid crate version
- llm-tokenizer prod — invalid crate version
- smg-auth prod — invalid crate version
- wfaas prod — invalid crate version
- data-connector prod — invalid crate version
- smg-mcp prod — invalid crate version
- smg-wasm prod — invalid crate version
- smg-mesh prod — invalid crate version
- rustls prod — cdn 403
- rustls-pemfile prod — cdn 403
- serde_yaml prod — cdn 403
- subtle prod — cdn 403
- num-traits prod — cdn 403
- num-bigint prod — cdn 403
- jsonwebtoken prod — cdn 403
- openai-harmony prod — no version pinned
- base64 prod — cdn 403
- smg-grpc-client prod — invalid crate version
- crdts prod — cdn 403
- wasmtime prod — cdn 403
- sgl-model-gateway prod — no version pinned
- wit-bindgen prod — cdn 403