sharang/compliance-scanner-agent
1
0
Fork 0
Code Issues 51 Pull Requests 1 Actions Packages Projects Releases 1 Wiki Activity

feat: add floating help chat widget, remove settings page #51

Merged
sharang merged 2 commits from feat/help-chat-widget into main 2026-03-30 08:05:30 +00:00
Conversation 2 Commits 2 Files Changed 17 +856 -197
sharang commented 2026-03-30 07:43:49 +00:00
Owner
Copy Link

Documentation-grounded help chat assistant accessible from every page. Loads project docs as LLM context via LiteLLM. Also removes the unused Settings page.

Documentation-grounded help chat assistant accessible from every page. Loads project docs as LLM context via LiteLLM. Also removes the unused Settings page.
sharang added 1 commit 2026-03-30 07:43:49 +00:00
feat: add floating help chat widget, remove settings page
Some checks failed
CI / Detect Changes (pull_request) Has been cancelled
Details
CI / Deploy Agent (pull_request) Has been cancelled
Details
CI / Deploy Dashboard (pull_request) Has been cancelled
Details
CI / Deploy Docs (pull_request) Has been cancelled
Details
CI / Deploy MCP (pull_request) Has been cancelled
Details
CI / Check (pull_request) Has been cancelled
Details
263a4e654a 
Add a documentation-grounded help chat assistant accessible from every
page via a floating button in the bottom-right corner.

Backend (compliance-agent):
- New POST /api/v1/help/chat endpoint
- Loads README.md + docs/**/*.md at first request (OnceLock cache)
- Excludes node_modules, uses walkdir for discovery
- Falls back to degraded prompt if docs not found
- Uses LiteLLM via existing chat_with_messages infrastructure

Dashboard (compliance-dashboard):
- New HelpChat component with toggle button, message area, input
- Styled to match Obsidian Control theme (dark, accent cyan)
- Renders in AppShell so it's available on every page
- Multi-turn conversation with history
- Server function proxies to agent API

Also:
- Remove Settings page (route, sidebar entry, page file)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
sharang reviewed 2026-03-30 07:45:08 +00:00
sharang left a comment
Author
Owner
Copy Link

Compliance scan found 38 issue(s) in this PR:

  • [high] code-review/security: Potential XSS Vulnerability via Dangerous Inner HTML
  • [high] code-review/complexity: Deleted settings page file
  • [medium] code-review/convention: Missing error handling for authentication check
  • [medium] code-review/complexity: CSS file contains excessive new content
  • [high] code-review/security: Sensitive Data Exposure in Frontend
  • [medium] code-review/convention: Potential panic in doc loading due to unwrap usage
  • [medium] code-review/convention: Inconsistent error handling in async blocks
  • [low] code-review/convention: Missing type annotations on public API parameters
  • [low] code-review/convention: Missing type annotations in server function parameters
  • [high] code-review/logic: Potential panic in load_docs when stripping path prefix
  • [medium] code-review/convention: Inconsistent error handling in server function
  • [medium] code-review/complexity: Complex boolean expression in server function
  • [high] code-review/security: Potential Server-Side Request Forgery (SSRF) via Help Chat API
  • [medium] code-review/logic: Potential race condition in loading state management
  • [high] code-review/security: Path Traversal via Documentation Loading
  • [medium] code-review/security: Potential Information Disclosure Through File Content Exposure
  • [medium] code-review/convention: Potential security vulnerability in HTML rendering
  • [low] code-review/convention: Redundant string conversion in message building
  • [medium] code-review/security: Insecure File Reading with Potential Directory Traversal
  • [medium] code-review/logic: Missing Settings Page Route
  • [medium] code-review/logic: Redundant message history construction
  • [medium] code-review/security: Insecure Deserialization in Help Chat History Messages
  • [medium] code-review/complexity: Deeply nested control flow in doc loading
  • [medium] code-review/security: Potential Information Disclosure Through Logging
  • [high] code-review/logic: Inefficient HTML sanitization approach
  • [medium] code-review/complexity: Deeply Nested Control Flow
  • [medium] code-review/logic: Duplicate message sending logic
  • [medium] code-review/complexity: Large function with multiple responsibilities
  • [high] code-review/security: Missing Input Validation in Help Chat Component
  • [high] code-review/logic: Incorrect filtering of non-Markdown files
  • [medium] code-review/complexity: Complex boolean expression in file filtering
  • [high] code-review/logic: Missing error handling for HTTP response status
  • [low] code-review/convention: Missing type annotations in component function signature
  • [medium] code-review/logic: Unnecessary unwrap_or in find_project_root
  • [medium] code-review/complexity: Code Duplication in Message Sending Logic
  • [medium] code-review/complexity: Complex Boolean Expression in Key Handler
  • [high] code-review/security: Insecure Markdown Rendering Implementation
  • [medium] code-review/convention: Inconsistent error handling in help_chat handler
Compliance scan found **38** issue(s) in this PR: - **[high]** code-review/security: Potential XSS Vulnerability via Dangerous Inner HTML - **[high]** code-review/complexity: Deleted settings page file - **[medium]** code-review/convention: Missing error handling for authentication check - **[medium]** code-review/complexity: CSS file contains excessive new content - **[high]** code-review/security: Sensitive Data Exposure in Frontend - **[medium]** code-review/convention: Potential panic in doc loading due to unwrap usage - **[medium]** code-review/convention: Inconsistent error handling in async blocks - **[low]** code-review/convention: Missing type annotations on public API parameters - **[low]** code-review/convention: Missing type annotations in server function parameters - **[high]** code-review/logic: Potential panic in `load_docs` when stripping path prefix - **[medium]** code-review/convention: Inconsistent error handling in server function - **[medium]** code-review/complexity: Complex boolean expression in server function - **[high]** code-review/security: Potential Server-Side Request Forgery (SSRF) via Help Chat API - **[medium]** code-review/logic: Potential race condition in loading state management - **[high]** code-review/security: Path Traversal via Documentation Loading - **[medium]** code-review/security: Potential Information Disclosure Through File Content Exposure - **[medium]** code-review/convention: Potential security vulnerability in HTML rendering - **[low]** code-review/convention: Redundant string conversion in message building - **[medium]** code-review/security: Insecure File Reading with Potential Directory Traversal - **[medium]** code-review/logic: Missing Settings Page Route - **[medium]** code-review/logic: Redundant message history construction - **[medium]** code-review/security: Insecure Deserialization in Help Chat History Messages - **[medium]** code-review/complexity: Deeply nested control flow in doc loading - **[medium]** code-review/security: Potential Information Disclosure Through Logging - **[high]** code-review/logic: Inefficient HTML sanitization approach - **[medium]** code-review/complexity: Deeply Nested Control Flow - **[medium]** code-review/logic: Duplicate message sending logic - **[medium]** code-review/complexity: Large function with multiple responsibilities - **[high]** code-review/security: Missing Input Validation in Help Chat Component - **[high]** code-review/logic: Incorrect filtering of non-Markdown files - **[medium]** code-review/complexity: Complex boolean expression in file filtering - **[high]** code-review/logic: Missing error handling for HTTP response status - **[low]** code-review/convention: Missing type annotations in component function signature - **[medium]** code-review/logic: Unnecessary `unwrap_or` in `find_project_root` - **[medium]** code-review/complexity: Code Duplication in Message Sending Logic - **[medium]** code-review/complexity: Complex Boolean Expression in Key Handler - **[high]** code-review/security: Insecure Markdown Rendering Implementation - **[medium]** code-review/convention: Inconsistent error handling in help_chat handler
compliance-agent/src/api/handlers/help_chat.rs
@@ -0,0 +28,4 @@
pub struct HelpChatResponse {
pub message: String,
}
sharang commented 2026-03-30 07:45:08 +00:00
Author
Owner
Copy Link

[medium] Unnecessary unwrap_or in find_project_root

In find_project_root, the current.pop() call can return false when reaching the root directory, but the loop continues even after popping to the root. This may cause an infinite loop or unexpected behavior if current.pop() fails to pop further.

Suggested fix: Ensure that current.pop() is checked properly and that the loop terminates correctly when reaching the filesystem root.

*Scanner: code-review/logic | *

**[medium] Unnecessary `unwrap_or` in `find_project_root`** In `find_project_root`, the `current.pop()` call can return false when reaching the root directory, but the loop continues even after popping to the root. This may cause an infinite loop or unexpected behavior if `current.pop()` fails to pop further. Suggested fix: Ensure that `current.pop()` is checked properly and that the loop terminates correctly when reaching the filesystem root. *Scanner: code-review/logic | * <!-- compliance-fp:02c4e9afc43ed9b395b629d0e82e35365829a885d31ce5db7e15af42341a9d9d -->
compliance-agent/src/api/handlers/help_chat.rs
@@ -0,0 +32,4 @@
// ── Doc cache ────────────────────────────────────────────────────────────────
static DOC_CONTEXT: OnceLock<String> = OnceLock::new();
sharang commented 2026-03-30 07:45:07 +00:00
Author
Owner
Copy Link

[medium] Deeply nested control flow in doc loading

The load_docs function has deeply nested control flow with multiple if/else branches and nested loops that make it difficult to follow the execution path. The function has 4 levels of nesting which increases complexity.

Suggested fix: Refactor the function to reduce nesting by extracting inner logic into smaller helper functions. Consider early returns and reducing the number of nested conditions.

*Scanner: code-review/complexity | *

**[medium] Deeply nested control flow in doc loading** The load_docs function has deeply nested control flow with multiple if/else branches and nested loops that make it difficult to follow the execution path. The function has 4 levels of nesting which increases complexity. Suggested fix: Refactor the function to reduce nesting by extracting inner logic into smaller helper functions. Consider early returns and reducing the number of nested conditions. *Scanner: code-review/complexity | * <!-- compliance-fp:c4bd24f3a999317cadb959e821ddfd67b9403f6d80aad65a24aff7bd061b070c -->
compliance-agent/src/api/handlers/help_chat.rs
@@ -0,0 +49,4 @@
/// Read README.md + all docs/**/*.md (excluding node_modules).
fn load_docs(root: &Path) -> String {
let mut parts: Vec<String> = Vec::new();
sharang commented 2026-03-30 07:45:08 +00:00
Author
Owner
Copy Link

[high] Incorrect filtering of non-Markdown files

The filter condition for Markdown files in load_docs uses !s.eq_ignore_ascii_case("md"), which excludes files ending in .md. This is backwards - it should be s.eq_ignore_ascii_case("md") to include only Markdown files.

Suggested fix: Change !s.eq_ignore_ascii_case("md") to s.eq_ignore_ascii_case("md") to correctly filter for Markdown files.

*Scanner: code-review/logic | *

**[high] Incorrect filtering of non-Markdown files** The filter condition for Markdown files in `load_docs` uses `!s.eq_ignore_ascii_case("md")`, which excludes files ending in `.md`. This is backwards - it should be `s.eq_ignore_ascii_case("md")` to include only Markdown files. Suggested fix: Change `!s.eq_ignore_ascii_case("md")` to `s.eq_ignore_ascii_case("md")` to correctly filter for Markdown files. *Scanner: code-review/logic | * <!-- compliance-fp:0ca420b612297b382a3d12aaba34045c70b0b8a5c088abab4ea84d05306408c9 -->
compliance-agent/src/api/handlers/help_chat.rs
@@ -0,0 +51,4 @@
fn load_docs(root: &Path) -> String {
let mut parts: Vec<String> = Vec::new();
// Root README first
sharang commented 2026-03-30 07:45:07 +00:00
Author
Owner
Copy Link

[high] Path Traversal via Documentation Loading

The help_chat handler loads documentation files from the filesystem based on project root detection. The find_project_root function walks up the directory tree to find a directory containing README.md and docs/, but does not validate that the discovered root is within expected boundaries. This could allow an attacker to manipulate the file loading behavior by placing malicious files in unexpected locations, potentially leading to path traversal or arbitrary file reading.

Suggested fix: Add validation to ensure the discovered project root is within a safe, expected directory hierarchy. Consider restricting the search to a specific allowed base path or implementing additional checks to prevent traversal beyond intended directories.

Scanner: code-review/security | CWE: CWE-22

**[high] Path Traversal via Documentation Loading** The help_chat handler loads documentation files from the filesystem based on project root detection. The `find_project_root` function walks up the directory tree to find a directory containing README.md and docs/, but does not validate that the discovered root is within expected boundaries. This could allow an attacker to manipulate the file loading behavior by placing malicious files in unexpected locations, potentially leading to path traversal or arbitrary file reading. Suggested fix: Add validation to ensure the discovered project root is within a safe, expected directory hierarchy. Consider restricting the search to a specific allowed base path or implementing additional checks to prevent traversal beyond intended directories. *Scanner: code-review/security | CWE: CWE-22* <!-- compliance-fp:76ac519157cdfbe6a67bcb4ceda65576a16dbf8d56d83b4c5b6d91b4131a804a -->
compliance-agent/src/api/handlers/help_chat.rs
@@ -0,0 +53,4 @@
// Root README first
if let Ok(content) = std::fs::read_to_string(root.join("README.md")) {
parts.push(format!("<!-- file: README.md -->\n{content}"));
sharang commented 2026-03-30 07:45:08 +00:00
Author
Owner
Copy Link

[medium] Complex boolean expression in file filtering

The boolean expression in the filter_entry closure uses multiple nested conditions that are hard to follow. Specifically, the line checking for non-md files is complex and could be simplified.

Suggested fix: Extract the file extension check into a separate helper function or simplify the boolean logic by breaking it into clear steps. Consider using a more readable pattern like: if path.extension().and_then(|s| s.to_str()).map(|s| s.eq_ignore_ascii_case("md")).unwrap_or(false) { continue; }

*Scanner: code-review/complexity | *

**[medium] Complex boolean expression in file filtering** The boolean expression in the filter_entry closure uses multiple nested conditions that are hard to follow. Specifically, the line checking for non-md files is complex and could be simplified. Suggested fix: Extract the file extension check into a separate helper function or simplify the boolean logic by breaking it into clear steps. Consider using a more readable pattern like: `if path.extension().and_then(|s| s.to_str()).map(|s| s.eq_ignore_ascii_case("md")).unwrap_or(false) { continue; }` *Scanner: code-review/complexity | * <!-- compliance-fp:ad8f9646e3587f284240388c4901ec6201e1bcd3d5681aaa9ae83cb176d264f1 -->
compliance-agent/src/api/handlers/help_chat.rs
@@ -0,0 +64,4 @@
!e.path()
.components()
.any(|c| c.as_os_str() == "node_modules")
})
sharang commented 2026-03-30 07:45:07 +00:00
Author
Owner
Copy Link

[medium] Potential panic in doc loading due to unwrap usage

The load_docs function uses unwrap_or(path) which can panic if strip_prefix fails. While this is unlikely, it's an unsafe pattern that could crash the application if the path manipulation logic breaks unexpectedly.

Suggested fix: Replace unwrap_or with a more graceful fallback or handle the error case explicitly to prevent potential panics.

*Scanner: code-review/convention | *

**[medium] Potential panic in doc loading due to unwrap usage** The load_docs function uses unwrap_or(path) which can panic if strip_prefix fails. While this is unlikely, it's an unsafe pattern that could crash the application if the path manipulation logic breaks unexpectedly. Suggested fix: Replace unwrap_or with a more graceful fallback or handle the error case explicitly to prevent potential panics. *Scanner: code-review/convention | * <!-- compliance-fp:33a93c3ba7d2c1d88504a0a70e9686ca0dfe7940315a51df9ccb2dfb3c7b9ca6 -->
compliance-agent/src/api/handlers/help_chat.rs
@@ -0,0 +66,4 @@
.any(|c| c.as_os_str() == "node_modules")
})
.filter_map(|e| e.ok())
{
sharang commented 2026-03-30 07:45:07 +00:00
Author
Owner
Copy Link

[high] Potential panic in load_docs when stripping path prefix

In the load_docs function, path.strip_prefix(root).unwrap_or(path) can panic if root is not a prefix of path. This happens when path is outside the root directory, which shouldn't occur given the filtering logic, but there's a potential race condition or incorrect assumption that could lead to this.

Suggested fix: Replace unwrap_or(path) with a safe fallback like path.to_string_lossy().to_string() or handle the error case explicitly to avoid potential panics.

*Scanner: code-review/logic | *

**[high] Potential panic in `load_docs` when stripping path prefix** In the `load_docs` function, `path.strip_prefix(root).unwrap_or(path)` can panic if `root` is not a prefix of `path`. This happens when `path` is outside the `root` directory, which shouldn't occur given the filtering logic, but there's a potential race condition or incorrect assumption that could lead to this. Suggested fix: Replace `unwrap_or(path)` with a safe fallback like `path.to_string_lossy().to_string()` or handle the error case explicitly to avoid potential panics. *Scanner: code-review/logic | * <!-- compliance-fp:e5836684030a2c1c30386e706014304fbe23361a6a162ae6806a15eebcc3487f -->
compliance-agent/src/api/handlers/help_chat.rs
@@ -0,0 +70,4 @@
let path = entry.path();
if !path.is_file() {
continue;
}
sharang commented 2026-03-30 07:45:07 +00:00
Author
Owner
Copy Link

[medium] Insecure File Reading with Potential Directory Traversal

The load_docs function reads all .md files from the 'docs/' directory recursively. While it filters out node_modules, it doesn't validate that the paths being read are within the intended documentation directory. An attacker could potentially place malicious markdown files in unexpected locations that would be included in the documentation context, leading to potential information disclosure or injection attacks.

Suggested fix: Implement stricter path validation to ensure all files being read are within the documented 'docs/' directory. Add checks to prevent reading files outside of the intended scope, such as verifying that the absolute path of each file is within the docs directory.

Scanner: code-review/security | CWE: CWE-22

**[medium] Insecure File Reading with Potential Directory Traversal** The `load_docs` function reads all .md files from the 'docs/' directory recursively. While it filters out node_modules, it doesn't validate that the paths being read are within the intended documentation directory. An attacker could potentially place malicious markdown files in unexpected locations that would be included in the documentation context, leading to potential information disclosure or injection attacks. Suggested fix: Implement stricter path validation to ensure all files being read are within the documented 'docs/' directory. Add checks to prevent reading files outside of the intended scope, such as verifying that the absolute path of each file is within the docs directory. *Scanner: code-review/security | CWE: CWE-22* <!-- compliance-fp:21f3c58b8f7736cc2c05d1d759dab510ebbd6d4b1e078fdf812ec14c2e2ba42a -->
compliance-agent/src/api/handlers/help_chat.rs
@@ -0,0 +76,4 @@
.and_then(|s| s.to_str())
.map(|s| !s.eq_ignore_ascii_case("md"))
.unwrap_or(true)
{
sharang commented 2026-03-30 07:45:07 +00:00
Author
Owner
Copy Link

[medium] Potential Information Disclosure Through File Content Exposure

The help_chat handler includes file contents directly in the system prompt without sanitization. If any documentation file contains sensitive information (like API keys, passwords, or internal paths), this information could be exposed to the LLM and potentially leaked through responses. Additionally, the file inclusion mechanism could expose internal project structure details.

Suggested fix: Consider implementing content filtering or sanitization before including file contents in prompts. Alternatively, implement a whitelist of allowed documentation files or add a mechanism to exclude sensitive content from being included in the context.

Scanner: code-review/security | CWE: CWE-200

**[medium] Potential Information Disclosure Through File Content Exposure** The help_chat handler includes file contents directly in the system prompt without sanitization. If any documentation file contains sensitive information (like API keys, passwords, or internal paths), this information could be exposed to the LLM and potentially leaked through responses. Additionally, the file inclusion mechanism could expose internal project structure details. Suggested fix: Consider implementing content filtering or sanitization before including file contents in prompts. Alternatively, implement a whitelist of allowed documentation files or add a mechanism to exclude sensitive content from being included in the context. *Scanner: code-review/security | CWE: CWE-200* <!-- compliance-fp:013aff4509a775822b6f5e638262cc557f8f79ddb12ebc1416f36a4d461a3562 -->
compliance-agent/src/api/handlers/help_chat.rs
@@ -0,0 +137,4 @@
pub async fn help_chat(
Extension(agent): AgentExt,
Json(req): Json<HelpChatRequest>,
) -> Result<Json<ApiResponse<HelpChatResponse>>, StatusCode> {
sharang commented 2026-03-30 07:45:08 +00:00
Author
Owner
Copy Link

[medium] Large function with multiple responsibilities

The help_chat function is 40 lines long and handles multiple responsibilities: preparing the system prompt, building message history, calling the LLM, and constructing the response. This makes it harder to test and maintain.

Suggested fix: Break this function into smaller, focused functions such as: prepare_system_prompt, build_message_history, call_llm, and construct_response. Each should have a single responsibility.

*Scanner: code-review/complexity | *

**[medium] Large function with multiple responsibilities** The help_chat function is 40 lines long and handles multiple responsibilities: preparing the system prompt, building message history, calling the LLM, and constructing the response. This makes it harder to test and maintain. Suggested fix: Break this function into smaller, focused functions such as: prepare_system_prompt, build_message_history, call_llm, and construct_response. Each should have a single responsibility. *Scanner: code-review/complexity | * <!-- compliance-fp:d2495cf0753085e348c9c35a8697cc1feb088a94dd8e0691ab79580d7708fd78 -->
compliance-agent/src/api/handlers/help_chat.rs
@@ -0,0 +155,4 @@
- Quote or reference the relevant doc section when it helps\n\
- If the docs do not cover the topic, say so clearly\n\
- Be concise lead with the answer, then explain if needed\n\
- Use markdown formatting for readability\n\n\
sharang commented 2026-03-30 07:45:07 +00:00
Author
Owner
Copy Link

[low] Missing type annotations on public API parameters

The help_chat function signature lacks explicit type annotations for the Extension(agent) parameter, which makes it harder to maintain consistency with other handlers that likely follow a pattern of explicit typing.

Suggested fix: Add explicit type annotation for the agent parameter: Extension(agent): Extension to match common patterns in the codebase.

*Scanner: code-review/convention | *

**[low] Missing type annotations on public API parameters** The help_chat function signature lacks explicit type annotations for the Extension(agent) parameter, which makes it harder to maintain consistency with other handlers that likely follow a pattern of explicit typing. Suggested fix: Add explicit type annotation for the agent parameter: Extension(agent): Extension<Agent> to match common patterns in the codebase. *Scanner: code-review/convention | * <!-- compliance-fp:dfbcb2c56d114d603c8929f65230df59505cc87e5aa8ed44720235e3f061e09d -->
compliance-agent/src/api/handlers/help_chat.rs
@@ -0,0 +171,4 @@
let response_text = agent
.llm
.chat_with_messages(messages, Some(0.3))
.await
sharang commented 2026-03-30 07:45:08 +00:00
Author
Owner
Copy Link

[medium] Inconsistent error handling in help_chat handler

The help_chat handler uses a mix of direct StatusCode returns and map_err with StatusCode::INTERNAL_SERVER_ERROR. This is inconsistent with typical error handling patterns where errors should be converted to a consistent error type or handled through a centralized error mechanism.

Suggested fix: Consider implementing a proper error type for the API and use a consistent pattern like ? operator or explicit error conversion instead of mixing direct StatusCode returns with map_err.

*Scanner: code-review/convention | *

**[medium] Inconsistent error handling in help_chat handler** The help_chat handler uses a mix of direct StatusCode returns and map_err with StatusCode::INTERNAL_SERVER_ERROR. This is inconsistent with typical error handling patterns where errors should be converted to a consistent error type or handled through a centralized error mechanism. Suggested fix: Consider implementing a proper error type for the API and use a consistent pattern like `?` operator or explicit error conversion instead of mixing direct StatusCode returns with map_err. *Scanner: code-review/convention | * <!-- compliance-fp:3ac636a591d5f136305368cc0edb85cc7a2dfef26c63d4df46f15a9993d31db5 -->
compliance-dashboard/assets/main.css
@@ -3645,3 +3645,205 @@ tbody tr:last-child td {
.wizard-toggle.active .wizard-toggle-knob {
transform: translateX(16px);
}
sharang commented 2026-03-30 07:45:07 +00:00
Author
Owner
Copy Link

[medium] CSS file contains excessive new content

The CSS file has gained 205 lines of new styling for the help chat widget, which significantly increases the file size and complexity. This makes maintenance harder and increases the risk of conflicts during future updates.

Suggested fix: Consider extracting the help chat widget styles into a separate CSS file to keep the main stylesheet manageable and improve maintainability.

*Scanner: code-review/complexity | *

**[medium] CSS file contains excessive new content** The CSS file has gained 205 lines of new styling for the help chat widget, which significantly increases the file size and complexity. This makes maintenance harder and increases the risk of conflicts during future updates. Suggested fix: Consider extracting the help chat widget styles into a separate CSS file to keep the main stylesheet manageable and improve maintainability. *Scanner: code-review/complexity | * <!-- compliance-fp:2a42002bd10b88a77928c8ee255e103f5eb190358a906fa9147588f591af318b -->
compliance-dashboard/src/app.rs
@@ -46,4 +46,2 @@
McpServersPage {},
#[route("/settings")]
SettingsPage {},
}
sharang commented 2026-03-30 07:45:07 +00:00
Author
Owner
Copy Link

[medium] Missing Settings Page Route

The SettingsPage route was removed from the Route enum but there might be existing references or navigation code that still expects this route to exist. This could lead to runtime errors if any navigation attempts to access the settings page.

Suggested fix: Verify that all references to the SettingsPage route have been removed from the application codebase. If there are any remaining references, they should be updated or removed to prevent runtime errors.

*Scanner: code-review/logic | *

**[medium] Missing Settings Page Route** The SettingsPage route was removed from the Route enum but there might be existing references or navigation code that still expects this route to exist. This could lead to runtime errors if any navigation attempts to access the settings page. Suggested fix: Verify that all references to the SettingsPage route have been removed from the application codebase. If there are any remaining references, they should be updated or removed to prevent runtime errors. *Scanner: code-review/logic | * <!-- compliance-fp:e98f192b02bf8a9873f0c894afedb6ecff82abb693fff8d2bd066803a870e164 -->
compliance-dashboard/src/components/app_shell.rs
@@ -21,6 +22,7 @@ pub fn AppShell() -> Element {
Outlet::<Route> {}
}
ToastContainer {}
HelpChat {}
sharang commented 2026-03-30 07:45:07 +00:00
Author
Owner
Copy Link

[medium] Missing error handling for authentication check

The check_auth function is called without handling potential errors. If authentication fails, the application should handle this gracefully rather than panicking or silently failing.

Suggested fix: Add proper error handling around the check_auth() call, such as using ? operator or explicit match statement to handle potential authentication failures.

*Scanner: code-review/convention | *

**[medium] Missing error handling for authentication check** The `check_auth` function is called without handling potential errors. If authentication fails, the application should handle this gracefully rather than panicking or silently failing. Suggested fix: Add proper error handling around the `check_auth()` call, such as using `?` operator or explicit match statement to handle potential authentication failures. *Scanner: code-review/convention | * <!-- compliance-fp:de795707203c986bc9f3f4cf6bd83af50bf48af6266eaf35340c04714ca55749 -->
sharang commented 2026-03-30 07:45:08 +00:00
Author
Owner
Copy Link

[high] Missing Input Validation in Help Chat Component

The help chat component allows user input without proper sanitization or validation. This could lead to XSS vulnerabilities if chat messages are displayed without proper escaping, or injection attacks if the input is used in backend operations.

Suggested fix: Implement proper input validation and sanitization for all user-provided content in the help chat component. Ensure all messages are escaped when rendered and validate input length and content types.

Scanner: code-review/security | CWE: CWE-79

**[high] Missing Input Validation in Help Chat Component** The help chat component allows user input without proper sanitization or validation. This could lead to XSS vulnerabilities if chat messages are displayed without proper escaping, or injection attacks if the input is used in backend operations. Suggested fix: Implement proper input validation and sanitization for all user-provided content in the help chat component. Ensure all messages are escaped when rendered and validate input length and content types. *Scanner: code-review/security | CWE: CWE-79* <!-- compliance-fp:5efe855ddaf6054d207ee40d34ca5f7eebc3be765b7d13f57e305c57e8e95245 -->
compliance-dashboard/src/components/help_chat.rs
@@ -0,0 +27,4 @@
if text.is_empty() || is_loading() {
return;
}
sharang commented 2026-03-30 07:45:08 +00:00
Author
Owner
Copy Link

[medium] Duplicate message sending logic

The message sending logic is duplicated between the on_send handler and the on_keydown handler. This increases maintenance burden and potential for inconsistencies.

Suggested fix: Extract the common message sending logic into a separate function to reduce duplication.

*Scanner: code-review/logic | *

**[medium] Duplicate message sending logic** The message sending logic is duplicated between the `on_send` handler and the `on_keydown` handler. This increases maintenance burden and potential for inconsistencies. Suggested fix: Extract the common message sending logic into a separate function to reduce duplication. *Scanner: code-review/logic | * <!-- compliance-fp:4a3ad18f1142af771333ce03700b303426d73596856374942e116d0950938806 -->
sharang commented 2026-03-30 07:45:08 +00:00
Author
Owner
Copy Link

[medium] Code Duplication in Message Sending Logic

The message sending logic is duplicated in both the on_send handler and on_keydown handler. Both handlers perform identical operations for adding user messages, building history, and calling the API. This duplication increases maintenance burden and risk of inconsistencies.

Suggested fix: Extract the common message sending logic into a separate async function or closure that can be reused by both event handlers. This will reduce code duplication and make the component easier to maintain.

*Scanner: code-review/complexity | *

**[medium] Code Duplication in Message Sending Logic** The message sending logic is duplicated in both the on_send handler and on_keydown handler. Both handlers perform identical operations for adding user messages, building history, and calling the API. This duplication increases maintenance burden and risk of inconsistencies. Suggested fix: Extract the common message sending logic into a separate async function or closure that can be reused by both event handlers. This will reduce code duplication and make the component easier to maintain. *Scanner: code-review/complexity | * <!-- compliance-fp:8ba6816e031ac4318642b78525a4794cb162878c271453d9aecaca3bac12a7bc -->
compliance-dashboard/src/components/help_chat.rs
@@ -0,0 +32,4 @@
messages.write().push(ChatMsg {
role: "user".into(),
content: text.clone(),
});
sharang commented 2026-03-30 07:45:07 +00:00
Author
Owner
Copy Link

[medium] Potential race condition in loading state management

The is_loading flag is set to true before the async operation starts, but there's no mechanism to prevent multiple concurrent requests. If a user rapidly sends messages, multiple requests could be in flight simultaneously.

Suggested fix: Consider using a more sophisticated concurrency control mechanism or ensuring that only one request can be active at a time.

*Scanner: code-review/logic | *

**[medium] Potential race condition in loading state management** The `is_loading` flag is set to true before the async operation starts, but there's no mechanism to prevent multiple concurrent requests. If a user rapidly sends messages, multiple requests could be in flight simultaneously. Suggested fix: Consider using a more sophisticated concurrency control mechanism or ensuring that only one request can be active at a time. *Scanner: code-review/logic | * <!-- compliance-fp:d4362199ba134252ca66ab1dd911148ee16de4d55cf45621708f7ca33980c4a7 -->
compliance-dashboard/src/components/help_chat.rs
@@ -0,0 +42,4 @@
.rev()
.skip(1) // skip the user message we just added
.rev()
.map(|m| HelpChatHistoryMessage {
sharang commented 2026-03-30 07:45:07 +00:00
Author
Owner
Copy Link

[medium] Redundant message history construction

The code builds the message history by reversing the vector twice, which is inefficient and unnecessary. The logic should be simplified to avoid redundant operations.

Suggested fix: Simplify the history construction by directly collecting from the iterator without double reversal: messages().iter().take(messages().len().saturating_sub(1)).rev().map(...)

*Scanner: code-review/logic | *

**[medium] Redundant message history construction** The code builds the message history by reversing the vector twice, which is inefficient and unnecessary. The logic should be simplified to avoid redundant operations. Suggested fix: Simplify the history construction by directly collecting from the iterator without double reversal: `messages().iter().take(messages().len().saturating_sub(1)).rev().map(...)` *Scanner: code-review/logic | * <!-- compliance-fp:b31d1429c8e32048ebb20102715433c34068eb33f4622c17e90b95312950c863 -->
compliance-dashboard/src/components/help_chat.rs
@@ -0,0 +50,4 @@
spawn(async move {
match send_help_chat_message(text, history).await {
Ok(resp) => {
sharang commented 2026-03-30 07:45:07 +00:00
Author
Owner
Copy Link

[medium] Inconsistent error handling in async blocks

The error handling pattern in the async blocks differs between the on_send and on_keydown handlers. The on_keydown handler duplicates the entire message sending logic including the loading state management, while on_send uses a more concise approach. This inconsistency makes the code harder to maintain and increases the risk of divergence.

Suggested fix: Extract the common async message sending logic into a separate function or closure to avoid duplication and ensure consistent error handling.

*Scanner: code-review/convention | *

**[medium] Inconsistent error handling in async blocks** The error handling pattern in the async blocks differs between the `on_send` and `on_keydown` handlers. The `on_keydown` handler duplicates the entire message sending logic including the loading state management, while `on_send` uses a more concise approach. This inconsistency makes the code harder to maintain and increases the risk of divergence. Suggested fix: Extract the common async message sending logic into a separate function or closure to avoid duplication and ensure consistent error handling. *Scanner: code-review/convention | * <!-- compliance-fp:8ba195efc69ebe6441439d066945a7fd8de1970993a665125905f0b96132a9e2 -->
compliance-dashboard/src/components/help_chat.rs
@@ -0,0 +60,4 @@
messages.write().push(ChatMsg {
role: "assistant".into(),
content: format!("Error: {e}"),
});
sharang commented 2026-03-30 07:45:08 +00:00
Author
Owner
Copy Link

[medium] Complex Boolean Expression in Key Handler

The key handler contains a complex boolean expression checking for Enter key press and shift modifier state. The condition 'if e.key() == Key::Enter && !e.modifiers().shift()' is hard to read and understand at a glance, especially when combined with the subsequent empty/loading checks.

Suggested fix: Break down the complex boolean expression into clear, named variables or extract the key handling logic into a separate function with descriptive names to improve readability.

*Scanner: code-review/complexity | *

**[medium] Complex Boolean Expression in Key Handler** The key handler contains a complex boolean expression checking for Enter key press and shift modifier state. The condition 'if e.key() == Key::Enter && !e.modifiers().shift()' is hard to read and understand at a glance, especially when combined with the subsequent empty/loading checks. Suggested fix: Break down the complex boolean expression into clear, named variables or extract the key handling logic into a separate function with descriptive names to improve readability. *Scanner: code-review/complexity | * <!-- compliance-fp:c8e1e69a1b973a9e7f8a5ba5c9603467e4870efc167e256b955a68fa867176c1 -->
compliance-dashboard/src/components/help_chat.rs
@@ -0,0 +64,4 @@
}
}
is_loading.set(false);
});
sharang commented 2026-03-30 07:45:07 +00:00
Author
Owner
Copy Link

[low] Redundant string conversion in message building

The code converts strings to owned values unnecessarily when building the history vector. Specifically, m.role.clone() and m.content.clone() are called even though these are already owned strings. This creates unnecessary allocations.

Suggested fix: Remove the .clone() calls since role and content are already String types and don't need cloning.

*Scanner: code-review/convention | *

**[low] Redundant string conversion in message building** The code converts strings to owned values unnecessarily when building the history vector. Specifically, `m.role.clone()` and `m.content.clone()` are called even though these are already owned strings. This creates unnecessary allocations. Suggested fix: Remove the `.clone()` calls since `role` and `content` are already `String` types and don't need cloning. *Scanner: code-review/convention | * <!-- compliance-fp:f82a85323b8d93e39c8bc2f72b8027db9fbac0cf933bf94d9615533344d0b98c -->
compliance-dashboard/src/components/help_chat.rs
@@ -0,0 +117,4 @@
// Floating toggle button
if !is_open() {
button {
class: "help-chat-toggle",
sharang commented 2026-03-30 07:45:07 +00:00
Author
Owner
Copy Link

[medium] Deeply Nested Control Flow

The component has deeply nested control flow with multiple conditional blocks (if statements) inside the main render tree. The message rendering section contains nested conditions for empty state, message iteration, and loading state, making the structure harder to follow.

Suggested fix: Consider extracting the message rendering logic into separate components or functions to flatten the nesting and improve readability. The complex conditional rendering could be simplified by breaking it into smaller, more focused pieces.

*Scanner: code-review/complexity | *

**[medium] Deeply Nested Control Flow** The component has deeply nested control flow with multiple conditional blocks (if statements) inside the main render tree. The message rendering section contains nested conditions for empty state, message iteration, and loading state, making the structure harder to follow. Suggested fix: Consider extracting the message rendering logic into separate components or functions to flatten the nesting and improve readability. The complex conditional rendering could be simplified by breaking it into smaller, more focused pieces. *Scanner: code-review/complexity | * <!-- compliance-fp:7f896e41acb42f08181ca6a6d5ddbfbd948c9f490e4466e1b8c773ce1a412038 -->
compliance-dashboard/src/components/help_chat.rs
@@ -0,0 +139,4 @@
Icon { icon: BsX, width: 18, height: 18 }
}
}
sharang commented 2026-03-30 07:45:07 +00:00
Author
Owner
Copy Link

[medium] Potential security vulnerability in HTML rendering

The component directly uses dangerous_inner_html for rendering assistant messages without sanitizing the content. This could lead to XSS vulnerabilities if the AI responses contain malicious HTML. Even though this is a controlled environment, it's better to sanitize the HTML before rendering.

Suggested fix: Use a proper HTML sanitization library or implement basic sanitization before using dangerous_inner_html to prevent XSS attacks.

*Scanner: code-review/convention | *

**[medium] Potential security vulnerability in HTML rendering** The component directly uses `dangerous_inner_html` for rendering assistant messages without sanitizing the content. This could lead to XSS vulnerabilities if the AI responses contain malicious HTML. Even though this is a controlled environment, it's better to sanitize the HTML before rendering. Suggested fix: Use a proper HTML sanitization library or implement basic sanitization before using `dangerous_inner_html` to prevent XSS attacks. *Scanner: code-review/convention | * <!-- compliance-fp:719753506f037ef6dff0f869ccf146badb2a391e3f59c1a96f57115c1ea4d3f0 -->
compliance-dashboard/src/components/help_chat.rs
@@ -0,0 +149,4 @@
"e.g. \"How do I add a repository?\" or \"What is SBOM?\""
}
}
}
sharang commented 2026-03-30 07:45:07 +00:00
Author
Owner
Copy Link

[high] Inefficient HTML sanitization approach

The basic string replacement approach for markdown rendering is fragile and doesn't handle nested tags properly. It could lead to XSS vulnerabilities or malformed HTML.

Suggested fix: Use a proper markdown parser library instead of manual string replacements for safer and more accurate rendering.

*Scanner: code-review/logic | *

**[high] Inefficient HTML sanitization approach** The basic string replacement approach for markdown rendering is fragile and doesn't handle nested tags properly. It could lead to XSS vulnerabilities or malformed HTML. Suggested fix: Use a proper markdown parser library instead of manual string replacements for safer and more accurate rendering. *Scanner: code-review/logic | * <!-- compliance-fp:57351b0ba07f43970767b11bf2c4265e9c3f4e8f2f9701488c8ea6f2461d94b1 -->
compliance-dashboard/src/components/help_chat.rs
@@ -0,0 +150,4 @@
}
}
}
for (i, msg) in messages().iter().enumerate() {
sharang commented 2026-03-30 07:45:07 +00:00
Author
Owner
Copy Link

[high] Potential XSS Vulnerability via Dangerous Inner HTML

The chat component uses dangerous_inner_html to render assistant messages, which can lead to XSS vulnerabilities if the AI-generated content contains malicious HTML or JavaScript. The content is not properly sanitized before being inserted into the DOM.

Suggested fix: Implement proper HTML sanitization of AI-generated content before rendering it with dangerous_inner_html. Consider using a dedicated HTML sanitizer library or escape all HTML characters in the content before insertion.

Scanner: code-review/security | CWE: CWE-79

**[high] Potential XSS Vulnerability via Dangerous Inner HTML** The chat component uses `dangerous_inner_html` to render assistant messages, which can lead to XSS vulnerabilities if the AI-generated content contains malicious HTML or JavaScript. The content is not properly sanitized before being inserted into the DOM. Suggested fix: Implement proper HTML sanitization of AI-generated content before rendering it with dangerous_inner_html. Consider using a dedicated HTML sanitizer library or escape all HTML characters in the content before insertion. *Scanner: code-review/security | CWE: CWE-79* <!-- compliance-fp:d0427e2a895f180f6dc36236d9f099ae9ba9ccffd867a178590fe3bd47e094ab -->
sharang commented 2026-03-30 07:45:08 +00:00
Author
Owner
Copy Link

[high] Insecure Markdown Rendering Implementation

The markdown rendering implementation is basic and vulnerable to XSS attacks. It replaces simple markdown syntax like '**' with HTML tags without proper escaping or sanitization, allowing potential injection of malicious HTML/JS code.

Suggested fix: Replace the manual markdown replacement with a secure markdown parser that properly escapes HTML content, or implement comprehensive input sanitization before any HTML manipulation.

Scanner: code-review/security | CWE: CWE-79

**[high] Insecure Markdown Rendering Implementation** The markdown rendering implementation is basic and vulnerable to XSS attacks. It replaces simple markdown syntax like '**' with HTML tags without proper escaping or sanitization, allowing potential injection of malicious HTML/JS code. Suggested fix: Replace the manual markdown replacement with a secure markdown parser that properly escapes HTML content, or implement comprehensive input sanitization before any HTML manipulation. *Scanner: code-review/security | CWE: CWE-79* <!-- compliance-fp:90b39c4404ebec277930bcc05083cb1c14d8761da3f94c92e55b48f696a5e70b -->
compliance-dashboard/src/infrastructure/help_chat.rs
@@ -0,0 +17,4 @@
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct HelpChatHistoryMessage {
pub role: String,
sharang commented 2026-03-30 07:45:07 +00:00
Author
Owner
Copy Link

[low] Missing type annotations in server function parameters

The send_help_chat_message server function parameters lack explicit type annotations, which can make the function signature less clear and harder to maintain. While Rust's type inference works here, explicit annotations improve readability and prevent potential issues during refactoring.

Suggested fix: Add explicit type annotations to the function parameters: message: String, history: Vec<HelpChatHistoryMessage>

*Scanner: code-review/convention | *

**[low] Missing type annotations in server function parameters** The `send_help_chat_message` server function parameters lack explicit type annotations, which can make the function signature less clear and harder to maintain. While Rust's type inference works here, explicit annotations improve readability and prevent potential issues during refactoring. Suggested fix: Add explicit type annotations to the function parameters: `message: String, history: Vec<HelpChatHistoryMessage>` *Scanner: code-review/convention | * <!-- compliance-fp:c61ee843fa0277faab515b5c158b6a5d2951b0d8d09cba6deb440b49d2e232fe -->
compliance-dashboard/src/infrastructure/help_chat.rs
@@ -0,0 +19,4 @@
pub struct HelpChatHistoryMessage {
pub role: String,
pub content: String,
}
sharang commented 2026-03-30 07:45:07 +00:00
Author
Owner
Copy Link

[medium] Insecure Deserialization in Help Chat History Messages

The HelpChatHistoryMessage struct is used directly in server functions without any validation or sanitization of the role and content fields. This could lead to unsafe deserialization if these values are not properly validated before being processed or stored.

Suggested fix: Add validation checks for the role field to ensure it only accepts expected values (e.g., 'user', 'assistant') and sanitize the content field to prevent potential injection attacks.

Scanner: code-review/security | CWE: CWE-502

**[medium] Insecure Deserialization in Help Chat History Messages** The `HelpChatHistoryMessage` struct is used directly in server functions without any validation or sanitization of the `role` and `content` fields. This could lead to unsafe deserialization if these values are not properly validated before being processed or stored. Suggested fix: Add validation checks for the `role` field to ensure it only accepts expected values (e.g., 'user', 'assistant') and sanitize the `content` field to prevent potential injection attacks. *Scanner: code-review/security | CWE: CWE-502* <!-- compliance-fp:5dd2470742b160c92445fceb9fb5d62c270d3bfbff1ec4b0cfc0cab824409aa4 -->
compliance-dashboard/src/infrastructure/help_chat.rs
@@ -0,0 +22,4 @@
}
// ── Server function ──
sharang commented 2026-03-30 07:45:07 +00:00
Author
Owner
Copy Link

[high] Potential Server-Side Request Forgery (SSRF) via Help Chat API

The send_help_chat_message function constructs a URL using state.agent_api_url which is likely configurable. If this value is controlled by user input or improperly validated, it could allow an attacker to make requests to internal services that should not be accessible from outside the application.

Suggested fix: Validate and sanitize state.agent_api_url to ensure it points to trusted domains only. Implement strict domain whitelisting or use a predefined list of allowed URLs.

Scanner: code-review/security | CWE: CWE-918

**[high] Potential Server-Side Request Forgery (SSRF) via Help Chat API** The `send_help_chat_message` function constructs a URL using `state.agent_api_url` which is likely configurable. If this value is controlled by user input or improperly validated, it could allow an attacker to make requests to internal services that should not be accessible from outside the application. Suggested fix: Validate and sanitize `state.agent_api_url` to ensure it points to trusted domains only. Implement strict domain whitelisting or use a predefined list of allowed URLs. *Scanner: code-review/security | CWE: CWE-918* <!-- compliance-fp:84b9f9b14d5077578fff0240ff66b329f1739d487489e0e55a2d0effc0b56f7b -->
compliance-dashboard/src/infrastructure/help_chat.rs
@@ -0,0 +23,4 @@
// ── Server function ──
#[server]
sharang commented 2026-03-30 07:45:07 +00:00
Author
Owner
Copy Link

[medium] Inconsistent error handling in server function

The send_help_chat_message function uses ServerFnError::new() for all error cases, but the pattern of wrapping errors with format!() and to_string() is inconsistent with typical server function error handling patterns where more structured error handling might be preferred.

Suggested fix: Consider using more specific error types or consistent error wrapping patterns throughout the server function to maintain uniform error handling across the application.

*Scanner: code-review/convention | *

**[medium] Inconsistent error handling in server function** The `send_help_chat_message` function uses `ServerFnError::new()` for all error cases, but the pattern of wrapping errors with `format!()` and `to_string()` is inconsistent with typical server function error handling patterns where more structured error handling might be preferred. Suggested fix: Consider using more specific error types or consistent error wrapping patterns throughout the server function to maintain uniform error handling across the application. *Scanner: code-review/convention | * <!-- compliance-fp:c13f9ee9918b635071d49eb0b94ac4a9a07f9b4339944710fd4eab4af7212062 -->
compliance-dashboard/src/infrastructure/help_chat.rs
@@ -0,0 +27,4 @@
pub async fn send_help_chat_message(
message: String,
history: Vec<HelpChatHistoryMessage>,
) -> Result<HelpChatApiResponse, ServerFnError> {
sharang commented 2026-03-30 07:45:07 +00:00
Author
Owner
Copy Link

[medium] Complex boolean expression in server function

The send_help_chat_message function contains a complex chain of .map_err() calls that make error handling hard to follow and reason about. Each step adds another layer of error conversion which reduces readability.

Suggested fix: Extract the error handling logic into separate helper functions or use a more concise error handling pattern like the ? operator with custom error types to reduce nesting and improve readability.

*Scanner: code-review/complexity | *

**[medium] Complex boolean expression in server function** The `send_help_chat_message` function contains a complex chain of `.map_err()` calls that make error handling hard to follow and reason about. Each step adds another layer of error conversion which reduces readability. Suggested fix: Extract the error handling logic into separate helper functions or use a more concise error handling pattern like the `?` operator with custom error types to reduce nesting and improve readability. *Scanner: code-review/complexity | * <!-- compliance-fp:1fbd0057afae2589da01a39b6bad27ec8d642d8830ff6e9061b5df9af19c3d43 -->
compliance-dashboard/src/infrastructure/help_chat.rs
@@ -0,0 +41,4 @@
.post(&url)
.json(&serde_json::json!({
"message": message,
"history": history,
sharang commented 2026-03-30 07:45:08 +00:00
Author
Owner
Copy Link

[high] Missing error handling for HTTP response status

The send_help_chat_message function sends an HTTP POST request but doesn't check the response status code. If the server returns an error status (like 4xx or 5xx), the function will still try to parse the response as successful, potentially leading to incorrect behavior or crashes.

Suggested fix: Add a check for successful HTTP status codes before attempting to read and parse the response body. For example: resp.status().is_success().then_some(()).ok_or_else(|| ServerFnError::new("HTTP request failed"))?;

*Scanner: code-review/logic | *

**[high] Missing error handling for HTTP response status** The `send_help_chat_message` function sends an HTTP POST request but doesn't check the response status code. If the server returns an error status (like 4xx or 5xx), the function will still try to parse the response as successful, potentially leading to incorrect behavior or crashes. Suggested fix: Add a check for successful HTTP status codes before attempting to read and parse the response body. For example: `resp.status().is_success().then_some(()).ok_or_else(|| ServerFnError::new("HTTP request failed"))?;` *Scanner: code-review/logic | * <!-- compliance-fp:bc21aa8f66f791ad32898d0c4a9b2716347a12b72c90312c9121bc0eda82a660 -->
compliance-dashboard/src/pages/settings.rs Outdated
sharang commented 2026-03-30 07:45:07 +00:00
Author
Owner
Copy Link

[high] Deleted settings page file

The entire settings page implementation has been deleted. This removes all configuration functionality for LiteLLM, GitHub, GitLab, Jira, and SearXNG integrations.

Suggested fix: Reconsider this deletion as it removes important user configuration capabilities. If removal is intentional, ensure alternative configuration methods are properly documented and implemented elsewhere.

*Scanner: code-review/complexity | *

**[high] Deleted settings page file** The entire settings page implementation has been deleted. This removes all configuration functionality for LiteLLM, GitHub, GitLab, Jira, and SearXNG integrations. Suggested fix: Reconsider this deletion as it removes important user configuration capabilities. If removal is intentional, ensure alternative configuration methods are properly documented and implemented elsewhere. *Scanner: code-review/complexity | * <!-- compliance-fp:ec620af5bfe21c920d7552d6f2fc599dab5432225e11c2bda8c7736fd71ce417 -->
compliance-dashboard/src/pages/settings.rs Outdated
sharang commented 2026-03-30 07:45:08 +00:00
Author
Owner
Copy Link

[low] Missing type annotations in component function signature

The component function signature pub fn SettingsPage() -> Element is missing explicit type annotations for the return type. While Element might be inferred, explicit typing improves maintainability and prevents potential issues if the return type changes.

Suggested fix: Explicitly annotate the return type as -> Element or use a more specific type if available.

*Scanner: code-review/convention | *

**[low] Missing type annotations in component function signature** The component function signature `pub fn SettingsPage() -> Element` is missing explicit type annotations for the return type. While `Element` might be inferred, explicit typing improves maintainability and prevents potential issues if the return type changes. Suggested fix: Explicitly annotate the return type as `-> Element` or use a more specific type if available. *Scanner: code-review/convention | * <!-- compliance-fp:cba72a929a7b2d5345bb6f78a1f6da588f5c54a8cd615f853b8503fda50a7f60 -->
compliance-dashboard/src/pages/settings.rs Outdated
sharang commented 2026-03-30 07:45:07 +00:00
Author
Owner
Copy Link

[high] Sensitive Data Exposure in Frontend

The settings page exposes sensitive configuration values (GitHub token, GitLab token, Jira API token) in the frontend UI through reactive state variables. Even though these are masked as password inputs, the underlying values are stored in memory and could be exposed through debugging tools, browser dev tools, or if the application has any data leakage vulnerabilities.

Suggested fix: Remove the settings page entirely or implement proper backend storage with secure handling of sensitive credentials. Never expose sensitive tokens in frontend state management.

Scanner: code-review/security | CWE: CWE-532

**[high] Sensitive Data Exposure in Frontend** The settings page exposes sensitive configuration values (GitHub token, GitLab token, Jira API token) in the frontend UI through reactive state variables. Even though these are masked as password inputs, the underlying values are stored in memory and could be exposed through debugging tools, browser dev tools, or if the application has any data leakage vulnerabilities. Suggested fix: Remove the settings page entirely or implement proper backend storage with secure handling of sensitive credentials. Never expose sensitive tokens in frontend state management. *Scanner: code-review/security | CWE: CWE-532* <!-- compliance-fp:88282fa8dfb5a2e276a9e83376aa60d40d7f4f0609f5ba29f475fe6cf3cf0ede -->
compliance-dashboard/src/pages/settings.rs Outdated
sharang commented 2026-03-30 07:45:07 +00:00
Author
Owner
Copy Link

[medium] Potential Information Disclosure Through Logging

The save button handler logs a message that mentions 'settings are managed via .env' which could inadvertently reveal system configuration details to logs. While this is just informational logging, it's still a potential information disclosure vector.

Suggested fix: Remove the logging statement or make it conditional based on debug level. Avoid including system configuration details in log messages.

Scanner: code-review/security | CWE: CWE-200

**[medium] Potential Information Disclosure Through Logging** The save button handler logs a message that mentions 'settings are managed via .env' which could inadvertently reveal system configuration details to logs. While this is just informational logging, it's still a potential information disclosure vector. Suggested fix: Remove the logging statement or make it conditional based on debug level. Avoid including system configuration details in log messages. *Scanner: code-review/security | CWE: CWE-200* <!-- compliance-fp:1f70b7b2afd41be1a23d376ad02fca8099db1b7b3488c61760d5ee2f7f7ee40c -->
sharang added 1 commit 2026-03-30 07:49:14 +00:00
docs: update README and add help-chat, deduplication docs
All checks were successful
CI / Check (pull_request) Successful in 13m17s
Details
CI / Detect Changes (pull_request) Has been skipped
Details
CI / Deploy Agent (pull_request) Has been skipped
Details
CI / Deploy Dashboard (pull_request) Has been skipped
Details
CI / Deploy Docs (pull_request) Has been skipped
Details
CI / Deploy MCP (pull_request) Has been skipped
Details
4d7efea683 
README.md:
- Add DAST, pentesting, code graph, AI chat, MCP, help chat to features table
- Add Gitea to tracker list, multi-language LLM triage note
- Update architecture diagram with all 5 workspace crates
- Add new API endpoints (graph, DAST, chat, help, pentest)
- Update dashboard pages table (remove Settings, add 6 new pages)
- Update project structure with new directories
- Add Keycloak, Chromium to external services

New docs:
- docs/features/help-chat.md — Help chat assistant usage, API, config
- docs/features/deduplication.md — Finding dedup across SAST, DAST, PR, issues

Updated:
- docs/features/overview.md — Add help chat section, update tracker list

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
sharang reviewed 2026-03-30 07:49:45 +00:00
sharang left a comment
Author
Owner
Copy Link

Compliance scan found 46 issue(s) in this PR:

  • [high] code-review/complexity: Deleted settings page file
  • [medium] code-review/complexity: Large function with multiple responsibilities
  • [medium] code-review/security: Potential Information Disclosure Through File Content Exposure
  • [medium] code-review/security: Insecure Direct Object Reference in Help Chat API
  • [medium] code-review/security: Hardcoded Default LiteLLM URL
  • [high] code-review/logic: Inefficient HTML sanitization approach
  • [medium] code-review/logic: Unnecessary unwrap_or in find_project_root
  • [medium] code-review/convention: Inconsistent error handling in async blocks
  • [low] code-review/convention: Missing type annotations in component function signature
  • [high] code-review/security: Potential XSS Vulnerability via Dangerous Inner HTML
  • [medium] code-review/logic: Duplicate message sending logic
  • [high] code-review/logic: Potential panic in load_docs when stripping path prefix
  • [high] code-review/security: Path Traversal via Documentation Loading
  • [high] code-review/logic: Incorrect filtering of non-Markdown files
  • [medium] code-review/security: Potential Information Disclosure Through Logging
  • [high] code-review/logic: Missing error handling for HTTP response status
  • [low] code-review/convention: Inconsistent error handling pattern in documentation
  • [medium] code-review/complexity: Code Duplication in Message Sending Logic
  • [medium] code-review/complexity: CSS file contains excessive new content
  • [medium] code-review/security: Insecure File Reading with Potential Directory Traversal
  • [medium] code-review/convention: Potential panic in doc loading due to unwrap usage
  • [high] code-review/security: Sensitive Data Exposure in Frontend
  • [medium] code-review/convention: Missing error handling for authentication check
  • [medium] code-review/convention: Potential security vulnerability in HTML rendering
  • [low] code-review/convention: Redundant string conversion in message building
  • [high] code-review/security: Missing Input Validation in Help Chat Component
  • [high] code-review/security: Potential Server-Side Request Forgery (SSRF) via Help Chat API
  • [medium] code-review/convention: Inconsistent error handling in server function
  • [high] code-review/security: Potential Command Injection via Documentation Loading
  • [low] code-review/convention: Missing type annotations in server function parameters
  • [medium] code-review/convention: Missing type annotations in API endpoint documentation
  • [medium] code-review/logic: Redundant message history construction
  • [medium] code-review/convention: Inconsistent terminology between documentation files
  • [medium] code-review/complexity: Deeply nested control flow in doc loading
  • [medium] code-review/complexity: Deeply Nested Control Flow
  • [medium] code-review/complexity: Complex boolean expression in server function
  • [medium] code-review/logic: Missing Settings Page Route
  • [medium] code-review/convention: Missing type annotations in API documentation
  • [high] code-review/security: Insecure Markdown Rendering Implementation
  • [low] code-review/convention: Missing type annotations on public API parameters
  • [medium] code-review/security: Insecure Deserialization in Help Chat History Messages
  • [medium] code-review/convention: Inconsistent error handling in API endpoints
  • [medium] code-review/complexity: Complex boolean expression in file filtering
  • [medium] code-review/complexity: Complex Boolean Expression in Key Handler
  • [medium] code-review/logic: Potential race condition in loading state management
  • [medium] code-review/convention: Inconsistent error handling in help_chat handler
Compliance scan found **46** issue(s) in this PR: - **[high]** code-review/complexity: Deleted settings page file - **[medium]** code-review/complexity: Large function with multiple responsibilities - **[medium]** code-review/security: Potential Information Disclosure Through File Content Exposure - **[medium]** code-review/security: Insecure Direct Object Reference in Help Chat API - **[medium]** code-review/security: Hardcoded Default LiteLLM URL - **[high]** code-review/logic: Inefficient HTML sanitization approach - **[medium]** code-review/logic: Unnecessary `unwrap_or` in `find_project_root` - **[medium]** code-review/convention: Inconsistent error handling in async blocks - **[low]** code-review/convention: Missing type annotations in component function signature - **[high]** code-review/security: Potential XSS Vulnerability via Dangerous Inner HTML - **[medium]** code-review/logic: Duplicate message sending logic - **[high]** code-review/logic: Potential panic in `load_docs` when stripping path prefix - **[high]** code-review/security: Path Traversal via Documentation Loading - **[high]** code-review/logic: Incorrect filtering of non-Markdown files - **[medium]** code-review/security: Potential Information Disclosure Through Logging - **[high]** code-review/logic: Missing error handling for HTTP response status - **[low]** code-review/convention: Inconsistent error handling pattern in documentation - **[medium]** code-review/complexity: Code Duplication in Message Sending Logic - **[medium]** code-review/complexity: CSS file contains excessive new content - **[medium]** code-review/security: Insecure File Reading with Potential Directory Traversal - **[medium]** code-review/convention: Potential panic in doc loading due to unwrap usage - **[high]** code-review/security: Sensitive Data Exposure in Frontend - **[medium]** code-review/convention: Missing error handling for authentication check - **[medium]** code-review/convention: Potential security vulnerability in HTML rendering - **[low]** code-review/convention: Redundant string conversion in message building - **[high]** code-review/security: Missing Input Validation in Help Chat Component - **[high]** code-review/security: Potential Server-Side Request Forgery (SSRF) via Help Chat API - **[medium]** code-review/convention: Inconsistent error handling in server function - **[high]** code-review/security: Potential Command Injection via Documentation Loading - **[low]** code-review/convention: Missing type annotations in server function parameters - **[medium]** code-review/convention: Missing type annotations in API endpoint documentation - **[medium]** code-review/logic: Redundant message history construction - **[medium]** code-review/convention: Inconsistent terminology between documentation files - **[medium]** code-review/complexity: Deeply nested control flow in doc loading - **[medium]** code-review/complexity: Deeply Nested Control Flow - **[medium]** code-review/complexity: Complex boolean expression in server function - **[medium]** code-review/logic: Missing Settings Page Route - **[medium]** code-review/convention: Missing type annotations in API documentation - **[high]** code-review/security: Insecure Markdown Rendering Implementation - **[low]** code-review/convention: Missing type annotations on public API parameters - **[medium]** code-review/security: Insecure Deserialization in Help Chat History Messages - **[medium]** code-review/convention: Inconsistent error handling in API endpoints - **[medium]** code-review/complexity: Complex boolean expression in file filtering - **[medium]** code-review/complexity: Complex Boolean Expression in Key Handler - **[medium]** code-review/logic: Potential race condition in loading state management - **[medium]** code-review/convention: Inconsistent error handling in help_chat handler
README.md
@@ -151,20 +163,35 @@ The agent exposes a REST API on port 3001:
| `GET` | `/api/v1/sbom` | List dependencies |
| `GET` | `/api/v1/issues` | List cross-tracker issues |
| `GET` | `/api/v1/scan-runs` | Scan execution history |
| `GET` | `/api/v1/graph/:repo_id` | Code knowledge graph |
sharang commented 2026-03-30 07:49:45 +00:00
Author
Owner
Copy Link

[medium] Inconsistent error handling in API endpoints

The API endpoints in the README show new functionality like '/api/v1/graph/:repo_id' and '/api/v1/chat/:repo_id' but don't specify how errors are handled. This suggests inconsistent error handling patterns compared to existing endpoints which likely follow a standard error response format.

Suggested fix: Add consistent error response examples for new API endpoints to maintain uniform error handling patterns across the API

*Scanner: code-review/convention | *

**[medium] Inconsistent error handling in API endpoints** The API endpoints in the README show new functionality like '/api/v1/graph/:repo_id' and '/api/v1/chat/:repo_id' but don't specify how errors are handled. This suggests inconsistent error handling patterns compared to existing endpoints which likely follow a standard error response format. Suggested fix: Add consistent error response examples for new API endpoints to maintain uniform error handling patterns across the API *Scanner: code-review/convention | * <!-- compliance-fp:b51d86d30d5edfdff5f2511cbcc1e93261bdeec2115a5cbe81bb79693da34047 -->
README.md
@@ -154,0 +169,4 @@
| `POST` | `/api/v1/dast/targets` | Add DAST target |
| `GET` | `/api/v1/dast/findings` | List DAST findings |
| `POST` | `/api/v1/chat/:repo_id` | RAG-powered code chat |
| `POST` | `/api/v1/help/chat` | Documentation-grounded help chat |
sharang commented 2026-03-30 07:49:45 +00:00
Author
Owner
Copy Link

[medium] Missing type annotations in API documentation

New API endpoints like '/api/v1/chat/:repo_id' and '/api/v1/help/chat' lack type information in their documentation, which could lead to confusion about expected request/response formats. This pattern appears inconsistent with typical API documentation practices in the project.

Suggested fix: Include example request/response schemas for new API endpoints to ensure consistency with established documentation patterns

*Scanner: code-review/convention | *

**[medium] Missing type annotations in API documentation** New API endpoints like '/api/v1/chat/:repo_id' and '/api/v1/help/chat' lack type information in their documentation, which could lead to confusion about expected request/response formats. This pattern appears inconsistent with typical API documentation practices in the project. Suggested fix: Include example request/response schemas for new API endpoints to ensure consistency with established documentation patterns *Scanner: code-review/convention | * <!-- compliance-fp:ecd94b50362c284ac987aeda4a192f6c34e295f0dc50bb5316f9a39cb3cacc8d -->
compliance-agent/src/api/handlers/help_chat.rs
@@ -0,0 +28,4 @@
pub struct HelpChatResponse {
pub message: String,
}
sharang commented 2026-03-30 07:49:44 +00:00
Author
Owner
Copy Link

[medium] Unnecessary unwrap_or in find_project_root

In find_project_root, the current.pop() call can return false when reaching the root directory, but the loop continues even after popping to the root. This may cause an infinite loop or unexpected behavior if current.pop() fails to pop further.

Suggested fix: Ensure that current.pop() is checked properly and that the loop terminates correctly when reaching the filesystem root.

*Scanner: code-review/logic | *

**[medium] Unnecessary `unwrap_or` in `find_project_root`** In `find_project_root`, the `current.pop()` call can return false when reaching the root directory, but the loop continues even after popping to the root. This may cause an infinite loop or unexpected behavior if `current.pop()` fails to pop further. Suggested fix: Ensure that `current.pop()` is checked properly and that the loop terminates correctly when reaching the filesystem root. *Scanner: code-review/logic | * <!-- compliance-fp:02c4e9afc43ed9b395b629d0e82e35365829a885d31ce5db7e15af42341a9d9d -->
compliance-agent/src/api/handlers/help_chat.rs
@@ -0,0 +32,4 @@
// ── Doc cache ────────────────────────────────────────────────────────────────
static DOC_CONTEXT: OnceLock<String> = OnceLock::new();
sharang commented 2026-03-30 07:49:45 +00:00
Author
Owner
Copy Link

[medium] Deeply nested control flow in doc loading

The load_docs function has deeply nested control flow with multiple if/else branches and nested loops that make it difficult to follow the execution path. The function has 4 levels of nesting which increases complexity.

Suggested fix: Refactor the function to reduce nesting by extracting inner logic into smaller helper functions. Consider early returns and reducing the number of nested conditions.

*Scanner: code-review/complexity | *

**[medium] Deeply nested control flow in doc loading** The load_docs function has deeply nested control flow with multiple if/else branches and nested loops that make it difficult to follow the execution path. The function has 4 levels of nesting which increases complexity. Suggested fix: Refactor the function to reduce nesting by extracting inner logic into smaller helper functions. Consider early returns and reducing the number of nested conditions. *Scanner: code-review/complexity | * <!-- compliance-fp:c4bd24f3a999317cadb959e821ddfd67b9403f6d80aad65a24aff7bd061b070c -->
compliance-agent/src/api/handlers/help_chat.rs
@@ -0,0 +49,4 @@
/// Read README.md + all docs/**/*.md (excluding node_modules).
fn load_docs(root: &Path) -> String {
let mut parts: Vec<String> = Vec::new();
sharang commented 2026-03-30 07:49:44 +00:00
Author
Owner
Copy Link

[high] Incorrect filtering of non-Markdown files

The filter condition for Markdown files in load_docs uses !s.eq_ignore_ascii_case("md"), which excludes files ending in .md. This is backwards - it should be s.eq_ignore_ascii_case("md") to include only Markdown files.

Suggested fix: Change !s.eq_ignore_ascii_case("md") to s.eq_ignore_ascii_case("md") to correctly filter for Markdown files.

*Scanner: code-review/logic | *

**[high] Incorrect filtering of non-Markdown files** The filter condition for Markdown files in `load_docs` uses `!s.eq_ignore_ascii_case("md")`, which excludes files ending in `.md`. This is backwards - it should be `s.eq_ignore_ascii_case("md")` to include only Markdown files. Suggested fix: Change `!s.eq_ignore_ascii_case("md")` to `s.eq_ignore_ascii_case("md")` to correctly filter for Markdown files. *Scanner: code-review/logic | * <!-- compliance-fp:0ca420b612297b382a3d12aaba34045c70b0b8a5c088abab4ea84d05306408c9 -->
compliance-agent/src/api/handlers/help_chat.rs
@@ -0,0 +51,4 @@
fn load_docs(root: &Path) -> String {
let mut parts: Vec<String> = Vec::new();
// Root README first
sharang commented 2026-03-30 07:49:44 +00:00
Author
Owner
Copy Link

[high] Path Traversal via Documentation Loading

The help_chat handler loads documentation files from the filesystem based on project root detection. The find_project_root function walks up the directory tree to find a directory containing README.md and docs/, but does not validate that the discovered root is within expected boundaries. This could allow an attacker to manipulate the file loading behavior by placing malicious files in unexpected locations, potentially leading to path traversal or arbitrary file reading.

Suggested fix: Add validation to ensure the discovered project root is within a safe, expected directory hierarchy. Consider restricting the search to a specific allowed base path or implementing additional checks to prevent traversal beyond intended directories.

Scanner: code-review/security | CWE: CWE-22

**[high] Path Traversal via Documentation Loading** The help_chat handler loads documentation files from the filesystem based on project root detection. The `find_project_root` function walks up the directory tree to find a directory containing README.md and docs/, but does not validate that the discovered root is within expected boundaries. This could allow an attacker to manipulate the file loading behavior by placing malicious files in unexpected locations, potentially leading to path traversal or arbitrary file reading. Suggested fix: Add validation to ensure the discovered project root is within a safe, expected directory hierarchy. Consider restricting the search to a specific allowed base path or implementing additional checks to prevent traversal beyond intended directories. *Scanner: code-review/security | CWE: CWE-22* <!-- compliance-fp:76ac519157cdfbe6a67bcb4ceda65576a16dbf8d56d83b4c5b6d91b4131a804a -->
compliance-agent/src/api/handlers/help_chat.rs
@@ -0,0 +53,4 @@
// Root README first
if let Ok(content) = std::fs::read_to_string(root.join("README.md")) {
parts.push(format!("<!-- file: README.md -->\n{content}"));
sharang commented 2026-03-30 07:49:45 +00:00
Author
Owner
Copy Link

[medium] Complex boolean expression in file filtering

The boolean expression in the filter_entry closure uses multiple nested conditions that are hard to follow. Specifically, the line checking for non-md files is complex and could be simplified.

Suggested fix: Extract the file extension check into a separate helper function or simplify the boolean logic by breaking it into clear steps. Consider using a more readable pattern like: if path.extension().and_then(|s| s.to_str()).map(|s| s.eq_ignore_ascii_case("md")).unwrap_or(false) { continue; }

*Scanner: code-review/complexity | *

**[medium] Complex boolean expression in file filtering** The boolean expression in the filter_entry closure uses multiple nested conditions that are hard to follow. Specifically, the line checking for non-md files is complex and could be simplified. Suggested fix: Extract the file extension check into a separate helper function or simplify the boolean logic by breaking it into clear steps. Consider using a more readable pattern like: `if path.extension().and_then(|s| s.to_str()).map(|s| s.eq_ignore_ascii_case("md")).unwrap_or(false) { continue; }` *Scanner: code-review/complexity | * <!-- compliance-fp:ad8f9646e3587f284240388c4901ec6201e1bcd3d5681aaa9ae83cb176d264f1 -->
compliance-agent/src/api/handlers/help_chat.rs
@@ -0,0 +64,4 @@
!e.path()
.components()
.any(|c| c.as_os_str() == "node_modules")
})
sharang commented 2026-03-30 07:49:45 +00:00
Author
Owner
Copy Link

[medium] Potential panic in doc loading due to unwrap usage

The load_docs function uses unwrap_or(path) which can panic if strip_prefix fails. While this is unlikely, it's an unsafe pattern that could crash the application if the path manipulation logic breaks unexpectedly.

Suggested fix: Replace unwrap_or with a more graceful fallback or handle the error case explicitly to prevent potential panics.

*Scanner: code-review/convention | *

**[medium] Potential panic in doc loading due to unwrap usage** The load_docs function uses unwrap_or(path) which can panic if strip_prefix fails. While this is unlikely, it's an unsafe pattern that could crash the application if the path manipulation logic breaks unexpectedly. Suggested fix: Replace unwrap_or with a more graceful fallback or handle the error case explicitly to prevent potential panics. *Scanner: code-review/convention | * <!-- compliance-fp:33a93c3ba7d2c1d88504a0a70e9686ca0dfe7940315a51df9ccb2dfb3c7b9ca6 -->
compliance-agent/src/api/handlers/help_chat.rs
@@ -0,0 +66,4 @@
.any(|c| c.as_os_str() == "node_modules")
})
.filter_map(|e| e.ok())
{
sharang commented 2026-03-30 07:49:44 +00:00
Author
Owner
Copy Link

[high] Potential panic in load_docs when stripping path prefix

In the load_docs function, path.strip_prefix(root).unwrap_or(path) can panic if root is not a prefix of path. This happens when path is outside the root directory, which shouldn't occur given the filtering logic, but there's a potential race condition or incorrect assumption that could lead to this.

Suggested fix: Replace unwrap_or(path) with a safe fallback like path.to_string_lossy().to_string() or handle the error case explicitly to avoid potential panics.

*Scanner: code-review/logic | *

**[high] Potential panic in `load_docs` when stripping path prefix** In the `load_docs` function, `path.strip_prefix(root).unwrap_or(path)` can panic if `root` is not a prefix of `path`. This happens when `path` is outside the `root` directory, which shouldn't occur given the filtering logic, but there's a potential race condition or incorrect assumption that could lead to this. Suggested fix: Replace `unwrap_or(path)` with a safe fallback like `path.to_string_lossy().to_string()` or handle the error case explicitly to avoid potential panics. *Scanner: code-review/logic | * <!-- compliance-fp:e5836684030a2c1c30386e706014304fbe23361a6a162ae6806a15eebcc3487f -->
compliance-agent/src/api/handlers/help_chat.rs
@@ -0,0 +70,4 @@
let path = entry.path();
if !path.is_file() {
continue;
}
sharang commented 2026-03-30 07:49:45 +00:00
Author
Owner
Copy Link

[medium] Insecure File Reading with Potential Directory Traversal

The load_docs function reads all .md files from the 'docs/' directory recursively. While it filters out node_modules, it doesn't validate that the paths being read are within the intended documentation directory. An attacker could potentially place malicious markdown files in unexpected locations that would be included in the documentation context, leading to potential information disclosure or injection attacks.

Suggested fix: Implement stricter path validation to ensure all files being read are within the documented 'docs/' directory. Add checks to prevent reading files outside of the intended scope, such as verifying that the absolute path of each file is within the docs directory.

Scanner: code-review/security | CWE: CWE-22

**[medium] Insecure File Reading with Potential Directory Traversal** The `load_docs` function reads all .md files from the 'docs/' directory recursively. While it filters out node_modules, it doesn't validate that the paths being read are within the intended documentation directory. An attacker could potentially place malicious markdown files in unexpected locations that would be included in the documentation context, leading to potential information disclosure or injection attacks. Suggested fix: Implement stricter path validation to ensure all files being read are within the documented 'docs/' directory. Add checks to prevent reading files outside of the intended scope, such as verifying that the absolute path of each file is within the docs directory. *Scanner: code-review/security | CWE: CWE-22* <!-- compliance-fp:21f3c58b8f7736cc2c05d1d759dab510ebbd6d4b1e078fdf812ec14c2e2ba42a -->
compliance-agent/src/api/handlers/help_chat.rs
@@ -0,0 +76,4 @@
.and_then(|s| s.to_str())
.map(|s| !s.eq_ignore_ascii_case("md"))
.unwrap_or(true)
{
sharang commented 2026-03-30 07:49:44 +00:00
Author
Owner
Copy Link

[medium] Potential Information Disclosure Through File Content Exposure

The help_chat handler includes file contents directly in the system prompt without sanitization. If any documentation file contains sensitive information (like API keys, passwords, or internal paths), this information could be exposed to the LLM and potentially leaked through responses. Additionally, the file inclusion mechanism could expose internal project structure details.

Suggested fix: Consider implementing content filtering or sanitization before including file contents in prompts. Alternatively, implement a whitelist of allowed documentation files or add a mechanism to exclude sensitive content from being included in the context.

Scanner: code-review/security | CWE: CWE-200

**[medium] Potential Information Disclosure Through File Content Exposure** The help_chat handler includes file contents directly in the system prompt without sanitization. If any documentation file contains sensitive information (like API keys, passwords, or internal paths), this information could be exposed to the LLM and potentially leaked through responses. Additionally, the file inclusion mechanism could expose internal project structure details. Suggested fix: Consider implementing content filtering or sanitization before including file contents in prompts. Alternatively, implement a whitelist of allowed documentation files or add a mechanism to exclude sensitive content from being included in the context. *Scanner: code-review/security | CWE: CWE-200* <!-- compliance-fp:013aff4509a775822b6f5e638262cc557f8f79ddb12ebc1416f36a4d461a3562 -->
compliance-agent/src/api/handlers/help_chat.rs
@@ -0,0 +137,4 @@
pub async fn help_chat(
Extension(agent): AgentExt,
Json(req): Json<HelpChatRequest>,
) -> Result<Json<ApiResponse<HelpChatResponse>>, StatusCode> {
sharang commented 2026-03-30 07:49:44 +00:00
Author
Owner
Copy Link

[medium] Large function with multiple responsibilities

The help_chat function is 40 lines long and handles multiple responsibilities: preparing the system prompt, building message history, calling the LLM, and constructing the response. This makes it harder to test and maintain.

Suggested fix: Break this function into smaller, focused functions such as: prepare_system_prompt, build_message_history, call_llm, and construct_response. Each should have a single responsibility.

*Scanner: code-review/complexity | *

**[medium] Large function with multiple responsibilities** The help_chat function is 40 lines long and handles multiple responsibilities: preparing the system prompt, building message history, calling the LLM, and constructing the response. This makes it harder to test and maintain. Suggested fix: Break this function into smaller, focused functions such as: prepare_system_prompt, build_message_history, call_llm, and construct_response. Each should have a single responsibility. *Scanner: code-review/complexity | * <!-- compliance-fp:d2495cf0753085e348c9c35a8697cc1feb088a94dd8e0691ab79580d7708fd78 -->
compliance-agent/src/api/handlers/help_chat.rs
@@ -0,0 +155,4 @@
- Quote or reference the relevant doc section when it helps\n\
- If the docs do not cover the topic, say so clearly\n\
- Be concise lead with the answer, then explain if needed\n\
- Use markdown formatting for readability\n\n\
sharang commented 2026-03-30 07:49:45 +00:00
Author
Owner
Copy Link

[low] Missing type annotations on public API parameters

The help_chat function signature lacks explicit type annotations for the Extension(agent) parameter, which makes it harder to maintain consistency with other handlers that likely follow a pattern of explicit typing.

Suggested fix: Add explicit type annotation for the agent parameter: Extension(agent): Extension to match common patterns in the codebase.

*Scanner: code-review/convention | *

**[low] Missing type annotations on public API parameters** The help_chat function signature lacks explicit type annotations for the Extension(agent) parameter, which makes it harder to maintain consistency with other handlers that likely follow a pattern of explicit typing. Suggested fix: Add explicit type annotation for the agent parameter: Extension(agent): Extension<Agent> to match common patterns in the codebase. *Scanner: code-review/convention | * <!-- compliance-fp:dfbcb2c56d114d603c8929f65230df59505cc87e5aa8ed44720235e3f061e09d -->
compliance-agent/src/api/handlers/help_chat.rs
@@ -0,0 +171,4 @@
let response_text = agent
.llm
.chat_with_messages(messages, Some(0.3))
.await
sharang commented 2026-03-30 07:49:45 +00:00
Author
Owner
Copy Link

[medium] Inconsistent error handling in help_chat handler

The help_chat handler uses a mix of direct StatusCode returns and map_err with StatusCode::INTERNAL_SERVER_ERROR. This is inconsistent with typical error handling patterns where errors should be converted to a consistent error type or handled through a centralized error mechanism.

Suggested fix: Consider implementing a proper error type for the API and use a consistent pattern like ? operator or explicit error conversion instead of mixing direct StatusCode returns with map_err.

*Scanner: code-review/convention | *

**[medium] Inconsistent error handling in help_chat handler** The help_chat handler uses a mix of direct StatusCode returns and map_err with StatusCode::INTERNAL_SERVER_ERROR. This is inconsistent with typical error handling patterns where errors should be converted to a consistent error type or handled through a centralized error mechanism. Suggested fix: Consider implementing a proper error type for the API and use a consistent pattern like `?` operator or explicit error conversion instead of mixing direct StatusCode returns with map_err. *Scanner: code-review/convention | * <!-- compliance-fp:3ac636a591d5f136305368cc0edb85cc7a2dfef26c63d4df46f15a9993d31db5 -->
compliance-dashboard/assets/main.css
@@ -3645,3 +3645,205 @@ tbody tr:last-child td {
.wizard-toggle.active .wizard-toggle-knob {
transform: translateX(16px);
}
sharang commented 2026-03-30 07:49:45 +00:00
Author
Owner
Copy Link

[medium] CSS file contains excessive new content

The CSS file has gained 205 lines of new styling for the help chat widget, which significantly increases the file size and complexity. This makes maintenance harder and increases the risk of conflicts during future updates.

Suggested fix: Consider extracting the help chat widget styles into a separate CSS file to keep the main stylesheet manageable and improve maintainability.

*Scanner: code-review/complexity | *

**[medium] CSS file contains excessive new content** The CSS file has gained 205 lines of new styling for the help chat widget, which significantly increases the file size and complexity. This makes maintenance harder and increases the risk of conflicts during future updates. Suggested fix: Consider extracting the help chat widget styles into a separate CSS file to keep the main stylesheet manageable and improve maintainability. *Scanner: code-review/complexity | * <!-- compliance-fp:2a42002bd10b88a77928c8ee255e103f5eb190358a906fa9147588f591af318b -->
compliance-dashboard/src/app.rs
@@ -46,4 +46,2 @@
McpServersPage {},
#[route("/settings")]
SettingsPage {},
}
sharang commented 2026-03-30 07:49:45 +00:00
Author
Owner
Copy Link

[medium] Missing Settings Page Route

The SettingsPage route was removed from the Route enum but there might be existing references or navigation code that still expects this route to exist. This could lead to runtime errors if any navigation attempts to access the settings page.

Suggested fix: Verify that all references to the SettingsPage route have been removed from the application codebase. If there are any remaining references, they should be updated or removed to prevent runtime errors.

*Scanner: code-review/logic | *

**[medium] Missing Settings Page Route** The SettingsPage route was removed from the Route enum but there might be existing references or navigation code that still expects this route to exist. This could lead to runtime errors if any navigation attempts to access the settings page. Suggested fix: Verify that all references to the SettingsPage route have been removed from the application codebase. If there are any remaining references, they should be updated or removed to prevent runtime errors. *Scanner: code-review/logic | * <!-- compliance-fp:e98f192b02bf8a9873f0c894afedb6ecff82abb693fff8d2bd066803a870e164 -->
compliance-dashboard/src/components/app_shell.rs
@@ -21,6 +22,7 @@ pub fn AppShell() -> Element {
Outlet::<Route> {}
}
ToastContainer {}
HelpChat {}
sharang commented 2026-03-30 07:49:45 +00:00
Author
Owner
Copy Link

[medium] Missing error handling for authentication check

The check_auth function is called without handling potential errors. If authentication fails, the application should handle this gracefully rather than panicking or silently failing.

Suggested fix: Add proper error handling around the check_auth() call, such as using ? operator or explicit match statement to handle potential authentication failures.

*Scanner: code-review/convention | *

**[medium] Missing error handling for authentication check** The `check_auth` function is called without handling potential errors. If authentication fails, the application should handle this gracefully rather than panicking or silently failing. Suggested fix: Add proper error handling around the `check_auth()` call, such as using `?` operator or explicit match statement to handle potential authentication failures. *Scanner: code-review/convention | * <!-- compliance-fp:de795707203c986bc9f3f4cf6bd83af50bf48af6266eaf35340c04714ca55749 -->
sharang commented 2026-03-30 07:49:45 +00:00
Author
Owner
Copy Link

[high] Missing Input Validation in Help Chat Component

The help chat component allows user input without proper sanitization or validation. This could lead to XSS vulnerabilities if chat messages are displayed without proper escaping, or injection attacks if the input is used in backend operations.

Suggested fix: Implement proper input validation and sanitization for all user-provided content in the help chat component. Ensure all messages are escaped when rendered and validate input length and content types.

Scanner: code-review/security | CWE: CWE-79

**[high] Missing Input Validation in Help Chat Component** The help chat component allows user input without proper sanitization or validation. This could lead to XSS vulnerabilities if chat messages are displayed without proper escaping, or injection attacks if the input is used in backend operations. Suggested fix: Implement proper input validation and sanitization for all user-provided content in the help chat component. Ensure all messages are escaped when rendered and validate input length and content types. *Scanner: code-review/security | CWE: CWE-79* <!-- compliance-fp:5efe855ddaf6054d207ee40d34ca5f7eebc3be765b7d13f57e305c57e8e95245 -->
compliance-dashboard/src/components/help_chat.rs
@@ -0,0 +27,4 @@
if text.is_empty() || is_loading() {
return;
}
sharang commented 2026-03-30 07:49:44 +00:00
Author
Owner
Copy Link

[medium] Duplicate message sending logic

The message sending logic is duplicated between the on_send handler and the on_keydown handler. This increases maintenance burden and potential for inconsistencies.

Suggested fix: Extract the common message sending logic into a separate function to reduce duplication.

*Scanner: code-review/logic | *

**[medium] Duplicate message sending logic** The message sending logic is duplicated between the `on_send` handler and the `on_keydown` handler. This increases maintenance burden and potential for inconsistencies. Suggested fix: Extract the common message sending logic into a separate function to reduce duplication. *Scanner: code-review/logic | * <!-- compliance-fp:4a3ad18f1142af771333ce03700b303426d73596856374942e116d0950938806 -->
sharang commented 2026-03-30 07:49:44 +00:00
Author
Owner
Copy Link

[medium] Code Duplication in Message Sending Logic

The message sending logic is duplicated in both the on_send handler and on_keydown handler. Both handlers perform identical operations for adding user messages, building history, and calling the API. This duplication increases maintenance burden and risk of inconsistencies.

Suggested fix: Extract the common message sending logic into a separate async function or closure that can be reused by both event handlers. This will reduce code duplication and make the component easier to maintain.

*Scanner: code-review/complexity | *

**[medium] Code Duplication in Message Sending Logic** The message sending logic is duplicated in both the on_send handler and on_keydown handler. Both handlers perform identical operations for adding user messages, building history, and calling the API. This duplication increases maintenance burden and risk of inconsistencies. Suggested fix: Extract the common message sending logic into a separate async function or closure that can be reused by both event handlers. This will reduce code duplication and make the component easier to maintain. *Scanner: code-review/complexity | * <!-- compliance-fp:8ba6816e031ac4318642b78525a4794cb162878c271453d9aecaca3bac12a7bc -->
compliance-dashboard/src/components/help_chat.rs
@@ -0,0 +32,4 @@
messages.write().push(ChatMsg {
role: "user".into(),
content: text.clone(),
});
sharang commented 2026-03-30 07:49:45 +00:00
Author
Owner
Copy Link

[medium] Potential race condition in loading state management

The is_loading flag is set to true before the async operation starts, but there's no mechanism to prevent multiple concurrent requests. If a user rapidly sends messages, multiple requests could be in flight simultaneously.

Suggested fix: Consider using a more sophisticated concurrency control mechanism or ensuring that only one request can be active at a time.

*Scanner: code-review/logic | *

**[medium] Potential race condition in loading state management** The `is_loading` flag is set to true before the async operation starts, but there's no mechanism to prevent multiple concurrent requests. If a user rapidly sends messages, multiple requests could be in flight simultaneously. Suggested fix: Consider using a more sophisticated concurrency control mechanism or ensuring that only one request can be active at a time. *Scanner: code-review/logic | * <!-- compliance-fp:d4362199ba134252ca66ab1dd911148ee16de4d55cf45621708f7ca33980c4a7 -->
compliance-dashboard/src/components/help_chat.rs
@@ -0,0 +42,4 @@
.rev()
.skip(1) // skip the user message we just added
.rev()
.map(|m| HelpChatHistoryMessage {
sharang commented 2026-03-30 07:49:45 +00:00
Author
Owner
Copy Link

[medium] Redundant message history construction

The code builds the message history by reversing the vector twice, which is inefficient and unnecessary. The logic should be simplified to avoid redundant operations.

Suggested fix: Simplify the history construction by directly collecting from the iterator without double reversal: messages().iter().take(messages().len().saturating_sub(1)).rev().map(...)

*Scanner: code-review/logic | *

**[medium] Redundant message history construction** The code builds the message history by reversing the vector twice, which is inefficient and unnecessary. The logic should be simplified to avoid redundant operations. Suggested fix: Simplify the history construction by directly collecting from the iterator without double reversal: `messages().iter().take(messages().len().saturating_sub(1)).rev().map(...)` *Scanner: code-review/logic | * <!-- compliance-fp:b31d1429c8e32048ebb20102715433c34068eb33f4622c17e90b95312950c863 -->
compliance-dashboard/src/components/help_chat.rs
@@ -0,0 +50,4 @@
spawn(async move {
match send_help_chat_message(text, history).await {
Ok(resp) => {
sharang commented 2026-03-30 07:49:44 +00:00
Author
Owner
Copy Link

[medium] Inconsistent error handling in async blocks

The error handling pattern in the async blocks differs between the on_send and on_keydown handlers. The on_keydown handler duplicates the entire message sending logic including the loading state management, while on_send uses a more concise approach. This inconsistency makes the code harder to maintain and increases the risk of divergence.

Suggested fix: Extract the common async message sending logic into a separate function or closure to avoid duplication and ensure consistent error handling.

*Scanner: code-review/convention | *

**[medium] Inconsistent error handling in async blocks** The error handling pattern in the async blocks differs between the `on_send` and `on_keydown` handlers. The `on_keydown` handler duplicates the entire message sending logic including the loading state management, while `on_send` uses a more concise approach. This inconsistency makes the code harder to maintain and increases the risk of divergence. Suggested fix: Extract the common async message sending logic into a separate function or closure to avoid duplication and ensure consistent error handling. *Scanner: code-review/convention | * <!-- compliance-fp:8ba195efc69ebe6441439d066945a7fd8de1970993a665125905f0b96132a9e2 -->
compliance-dashboard/src/components/help_chat.rs
@@ -0,0 +60,4 @@
messages.write().push(ChatMsg {
role: "assistant".into(),
content: format!("Error: {e}"),
});
sharang commented 2026-03-30 07:49:45 +00:00
Author
Owner
Copy Link

[medium] Complex Boolean Expression in Key Handler

The key handler contains a complex boolean expression checking for Enter key press and shift modifier state. The condition 'if e.key() == Key::Enter && !e.modifiers().shift()' is hard to read and understand at a glance, especially when combined with the subsequent empty/loading checks.

Suggested fix: Break down the complex boolean expression into clear, named variables or extract the key handling logic into a separate function with descriptive names to improve readability.

*Scanner: code-review/complexity | *

**[medium] Complex Boolean Expression in Key Handler** The key handler contains a complex boolean expression checking for Enter key press and shift modifier state. The condition 'if e.key() == Key::Enter && !e.modifiers().shift()' is hard to read and understand at a glance, especially when combined with the subsequent empty/loading checks. Suggested fix: Break down the complex boolean expression into clear, named variables or extract the key handling logic into a separate function with descriptive names to improve readability. *Scanner: code-review/complexity | * <!-- compliance-fp:c8e1e69a1b973a9e7f8a5ba5c9603467e4870efc167e256b955a68fa867176c1 -->
compliance-dashboard/src/components/help_chat.rs
@@ -0,0 +64,4 @@
}
}
is_loading.set(false);
});
sharang commented 2026-03-30 07:49:45 +00:00
Author
Owner
Copy Link

[low] Redundant string conversion in message building

The code converts strings to owned values unnecessarily when building the history vector. Specifically, m.role.clone() and m.content.clone() are called even though these are already owned strings. This creates unnecessary allocations.

Suggested fix: Remove the .clone() calls since role and content are already String types and don't need cloning.

*Scanner: code-review/convention | *

**[low] Redundant string conversion in message building** The code converts strings to owned values unnecessarily when building the history vector. Specifically, `m.role.clone()` and `m.content.clone()` are called even though these are already owned strings. This creates unnecessary allocations. Suggested fix: Remove the `.clone()` calls since `role` and `content` are already `String` types and don't need cloning. *Scanner: code-review/convention | * <!-- compliance-fp:f82a85323b8d93e39c8bc2f72b8027db9fbac0cf933bf94d9615533344d0b98c -->
compliance-dashboard/src/components/help_chat.rs
@@ -0,0 +117,4 @@
// Floating toggle button
if !is_open() {
button {
class: "help-chat-toggle",
sharang commented 2026-03-30 07:49:45 +00:00
Author
Owner
Copy Link

[medium] Deeply Nested Control Flow

The component has deeply nested control flow with multiple conditional blocks (if statements) inside the main render tree. The message rendering section contains nested conditions for empty state, message iteration, and loading state, making the structure harder to follow.

Suggested fix: Consider extracting the message rendering logic into separate components or functions to flatten the nesting and improve readability. The complex conditional rendering could be simplified by breaking it into smaller, more focused pieces.

*Scanner: code-review/complexity | *

**[medium] Deeply Nested Control Flow** The component has deeply nested control flow with multiple conditional blocks (if statements) inside the main render tree. The message rendering section contains nested conditions for empty state, message iteration, and loading state, making the structure harder to follow. Suggested fix: Consider extracting the message rendering logic into separate components or functions to flatten the nesting and improve readability. The complex conditional rendering could be simplified by breaking it into smaller, more focused pieces. *Scanner: code-review/complexity | * <!-- compliance-fp:7f896e41acb42f08181ca6a6d5ddbfbd948c9f490e4466e1b8c773ce1a412038 -->
compliance-dashboard/src/components/help_chat.rs
@@ -0,0 +139,4 @@
Icon { icon: BsX, width: 18, height: 18 }
}
}
sharang commented 2026-03-30 07:49:45 +00:00
Author
Owner
Copy Link

[medium] Potential security vulnerability in HTML rendering

The component directly uses dangerous_inner_html for rendering assistant messages without sanitizing the content. This could lead to XSS vulnerabilities if the AI responses contain malicious HTML. Even though this is a controlled environment, it's better to sanitize the HTML before rendering.

Suggested fix: Use a proper HTML sanitization library or implement basic sanitization before using dangerous_inner_html to prevent XSS attacks.

*Scanner: code-review/convention | *

**[medium] Potential security vulnerability in HTML rendering** The component directly uses `dangerous_inner_html` for rendering assistant messages without sanitizing the content. This could lead to XSS vulnerabilities if the AI responses contain malicious HTML. Even though this is a controlled environment, it's better to sanitize the HTML before rendering. Suggested fix: Use a proper HTML sanitization library or implement basic sanitization before using `dangerous_inner_html` to prevent XSS attacks. *Scanner: code-review/convention | * <!-- compliance-fp:719753506f037ef6dff0f869ccf146badb2a391e3f59c1a96f57115c1ea4d3f0 -->
compliance-dashboard/src/components/help_chat.rs
@@ -0,0 +149,4 @@
"e.g. \"How do I add a repository?\" or \"What is SBOM?\""
}
}
}
sharang commented 2026-03-30 07:49:44 +00:00
Author
Owner
Copy Link

[high] Inefficient HTML sanitization approach

The basic string replacement approach for markdown rendering is fragile and doesn't handle nested tags properly. It could lead to XSS vulnerabilities or malformed HTML.

Suggested fix: Use a proper markdown parser library instead of manual string replacements for safer and more accurate rendering.

*Scanner: code-review/logic | *

**[high] Inefficient HTML sanitization approach** The basic string replacement approach for markdown rendering is fragile and doesn't handle nested tags properly. It could lead to XSS vulnerabilities or malformed HTML. Suggested fix: Use a proper markdown parser library instead of manual string replacements for safer and more accurate rendering. *Scanner: code-review/logic | * <!-- compliance-fp:57351b0ba07f43970767b11bf2c4265e9c3f4e8f2f9701488c8ea6f2461d94b1 -->
compliance-dashboard/src/components/help_chat.rs
@@ -0,0 +150,4 @@
}
}
}
for (i, msg) in messages().iter().enumerate() {
sharang commented 2026-03-30 07:49:44 +00:00
Author
Owner
Copy Link

[high] Potential XSS Vulnerability via Dangerous Inner HTML

The chat component uses dangerous_inner_html to render assistant messages, which can lead to XSS vulnerabilities if the AI-generated content contains malicious HTML or JavaScript. The content is not properly sanitized before being inserted into the DOM.

Suggested fix: Implement proper HTML sanitization of AI-generated content before rendering it with dangerous_inner_html. Consider using a dedicated HTML sanitizer library or escape all HTML characters in the content before insertion.

Scanner: code-review/security | CWE: CWE-79

**[high] Potential XSS Vulnerability via Dangerous Inner HTML** The chat component uses `dangerous_inner_html` to render assistant messages, which can lead to XSS vulnerabilities if the AI-generated content contains malicious HTML or JavaScript. The content is not properly sanitized before being inserted into the DOM. Suggested fix: Implement proper HTML sanitization of AI-generated content before rendering it with dangerous_inner_html. Consider using a dedicated HTML sanitizer library or escape all HTML characters in the content before insertion. *Scanner: code-review/security | CWE: CWE-79* <!-- compliance-fp:d0427e2a895f180f6dc36236d9f099ae9ba9ccffd867a178590fe3bd47e094ab -->
sharang commented 2026-03-30 07:49:45 +00:00
Author
Owner
Copy Link

[high] Insecure Markdown Rendering Implementation

The markdown rendering implementation is basic and vulnerable to XSS attacks. It replaces simple markdown syntax like '**' with HTML tags without proper escaping or sanitization, allowing potential injection of malicious HTML/JS code.

Suggested fix: Replace the manual markdown replacement with a secure markdown parser that properly escapes HTML content, or implement comprehensive input sanitization before any HTML manipulation.

Scanner: code-review/security | CWE: CWE-79

**[high] Insecure Markdown Rendering Implementation** The markdown rendering implementation is basic and vulnerable to XSS attacks. It replaces simple markdown syntax like '**' with HTML tags without proper escaping or sanitization, allowing potential injection of malicious HTML/JS code. Suggested fix: Replace the manual markdown replacement with a secure markdown parser that properly escapes HTML content, or implement comprehensive input sanitization before any HTML manipulation. *Scanner: code-review/security | CWE: CWE-79* <!-- compliance-fp:90b39c4404ebec277930bcc05083cb1c14d8761da3f94c92e55b48f696a5e70b -->
compliance-dashboard/src/infrastructure/help_chat.rs
@@ -0,0 +17,4 @@
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct HelpChatHistoryMessage {
pub role: String,
sharang commented 2026-03-30 07:49:45 +00:00
Author
Owner
Copy Link

[low] Missing type annotations in server function parameters

The send_help_chat_message server function parameters lack explicit type annotations, which can make the function signature less clear and harder to maintain. While Rust's type inference works here, explicit annotations improve readability and prevent potential issues during refactoring.

Suggested fix: Add explicit type annotations to the function parameters: message: String, history: Vec<HelpChatHistoryMessage>

*Scanner: code-review/convention | *

**[low] Missing type annotations in server function parameters** The `send_help_chat_message` server function parameters lack explicit type annotations, which can make the function signature less clear and harder to maintain. While Rust's type inference works here, explicit annotations improve readability and prevent potential issues during refactoring. Suggested fix: Add explicit type annotations to the function parameters: `message: String, history: Vec<HelpChatHistoryMessage>` *Scanner: code-review/convention | * <!-- compliance-fp:c61ee843fa0277faab515b5c158b6a5d2951b0d8d09cba6deb440b49d2e232fe -->
compliance-dashboard/src/infrastructure/help_chat.rs
@@ -0,0 +19,4 @@
pub struct HelpChatHistoryMessage {
pub role: String,
pub content: String,
}
sharang commented 2026-03-30 07:49:45 +00:00
Author
Owner
Copy Link

[medium] Insecure Deserialization in Help Chat History Messages

The HelpChatHistoryMessage struct is used directly in server functions without any validation or sanitization of the role and content fields. This could lead to unsafe deserialization if these values are not properly validated before being processed or stored.

Suggested fix: Add validation checks for the role field to ensure it only accepts expected values (e.g., 'user', 'assistant') and sanitize the content field to prevent potential injection attacks.

Scanner: code-review/security | CWE: CWE-502

**[medium] Insecure Deserialization in Help Chat History Messages** The `HelpChatHistoryMessage` struct is used directly in server functions without any validation or sanitization of the `role` and `content` fields. This could lead to unsafe deserialization if these values are not properly validated before being processed or stored. Suggested fix: Add validation checks for the `role` field to ensure it only accepts expected values (e.g., 'user', 'assistant') and sanitize the `content` field to prevent potential injection attacks. *Scanner: code-review/security | CWE: CWE-502* <!-- compliance-fp:5dd2470742b160c92445fceb9fb5d62c270d3bfbff1ec4b0cfc0cab824409aa4 -->
compliance-dashboard/src/infrastructure/help_chat.rs
@@ -0,0 +22,4 @@
}
// ── Server function ──
sharang commented 2026-03-30 07:49:45 +00:00
Author
Owner
Copy Link

[high] Potential Server-Side Request Forgery (SSRF) via Help Chat API

The send_help_chat_message function constructs a URL using state.agent_api_url which is likely configurable. If this value is controlled by user input or improperly validated, it could allow an attacker to make requests to internal services that should not be accessible from outside the application.

Suggested fix: Validate and sanitize state.agent_api_url to ensure it points to trusted domains only. Implement strict domain whitelisting or use a predefined list of allowed URLs.

Scanner: code-review/security | CWE: CWE-918

**[high] Potential Server-Side Request Forgery (SSRF) via Help Chat API** The `send_help_chat_message` function constructs a URL using `state.agent_api_url` which is likely configurable. If this value is controlled by user input or improperly validated, it could allow an attacker to make requests to internal services that should not be accessible from outside the application. Suggested fix: Validate and sanitize `state.agent_api_url` to ensure it points to trusted domains only. Implement strict domain whitelisting or use a predefined list of allowed URLs. *Scanner: code-review/security | CWE: CWE-918* <!-- compliance-fp:84b9f9b14d5077578fff0240ff66b329f1739d487489e0e55a2d0effc0b56f7b -->
compliance-dashboard/src/infrastructure/help_chat.rs
@@ -0,0 +23,4 @@
// ── Server function ──
#[server]
sharang commented 2026-03-30 07:49:45 +00:00
Author
Owner
Copy Link

[medium] Inconsistent error handling in server function

The send_help_chat_message function uses ServerFnError::new() for all error cases, but the pattern of wrapping errors with format!() and to_string() is inconsistent with typical server function error handling patterns where more structured error handling might be preferred.

Suggested fix: Consider using more specific error types or consistent error wrapping patterns throughout the server function to maintain uniform error handling across the application.

*Scanner: code-review/convention | *

**[medium] Inconsistent error handling in server function** The `send_help_chat_message` function uses `ServerFnError::new()` for all error cases, but the pattern of wrapping errors with `format!()` and `to_string()` is inconsistent with typical server function error handling patterns where more structured error handling might be preferred. Suggested fix: Consider using more specific error types or consistent error wrapping patterns throughout the server function to maintain uniform error handling across the application. *Scanner: code-review/convention | * <!-- compliance-fp:c13f9ee9918b635071d49eb0b94ac4a9a07f9b4339944710fd4eab4af7212062 -->
compliance-dashboard/src/infrastructure/help_chat.rs
@@ -0,0 +27,4 @@
pub async fn send_help_chat_message(
message: String,
history: Vec<HelpChatHistoryMessage>,
) -> Result<HelpChatApiResponse, ServerFnError> {
sharang commented 2026-03-30 07:49:45 +00:00
Author
Owner
Copy Link

[medium] Complex boolean expression in server function

The send_help_chat_message function contains a complex chain of .map_err() calls that make error handling hard to follow and reason about. Each step adds another layer of error conversion which reduces readability.

Suggested fix: Extract the error handling logic into separate helper functions or use a more concise error handling pattern like the ? operator with custom error types to reduce nesting and improve readability.

*Scanner: code-review/complexity | *

**[medium] Complex boolean expression in server function** The `send_help_chat_message` function contains a complex chain of `.map_err()` calls that make error handling hard to follow and reason about. Each step adds another layer of error conversion which reduces readability. Suggested fix: Extract the error handling logic into separate helper functions or use a more concise error handling pattern like the `?` operator with custom error types to reduce nesting and improve readability. *Scanner: code-review/complexity | * <!-- compliance-fp:1fbd0057afae2589da01a39b6bad27ec8d642d8830ff6e9061b5df9af19c3d43 -->
compliance-dashboard/src/infrastructure/help_chat.rs
@@ -0,0 +41,4 @@
.post(&url)
.json(&serde_json::json!({
"message": message,
"history": history,
sharang commented 2026-03-30 07:49:44 +00:00
Author
Owner
Copy Link

[high] Missing error handling for HTTP response status

The send_help_chat_message function sends an HTTP POST request but doesn't check the response status code. If the server returns an error status (like 4xx or 5xx), the function will still try to parse the response as successful, potentially leading to incorrect behavior or crashes.

Suggested fix: Add a check for successful HTTP status codes before attempting to read and parse the response body. For example: resp.status().is_success().then_some(()).ok_or_else(|| ServerFnError::new("HTTP request failed"))?;

*Scanner: code-review/logic | *

**[high] Missing error handling for HTTP response status** The `send_help_chat_message` function sends an HTTP POST request but doesn't check the response status code. If the server returns an error status (like 4xx or 5xx), the function will still try to parse the response as successful, potentially leading to incorrect behavior or crashes. Suggested fix: Add a check for successful HTTP status codes before attempting to read and parse the response body. For example: `resp.status().is_success().then_some(()).ok_or_else(|| ServerFnError::new("HTTP request failed"))?;` *Scanner: code-review/logic | * <!-- compliance-fp:bc21aa8f66f791ad32898d0c4a9b2716347a12b72c90312c9121bc0eda82a660 -->
compliance-dashboard/src/pages/settings.rs
sharang commented 2026-03-30 07:49:44 +00:00
Author
Owner
Copy Link

[high] Deleted settings page file

The entire settings page implementation has been deleted. This removes all configuration functionality for LiteLLM, GitHub, GitLab, Jira, and SearXNG integrations.

Suggested fix: Reconsider this deletion as it removes important user configuration capabilities. If removal is intentional, ensure alternative configuration methods are properly documented and implemented elsewhere.

*Scanner: code-review/complexity | *

**[high] Deleted settings page file** The entire settings page implementation has been deleted. This removes all configuration functionality for LiteLLM, GitHub, GitLab, Jira, and SearXNG integrations. Suggested fix: Reconsider this deletion as it removes important user configuration capabilities. If removal is intentional, ensure alternative configuration methods are properly documented and implemented elsewhere. *Scanner: code-review/complexity | * <!-- compliance-fp:ec620af5bfe21c920d7552d6f2fc599dab5432225e11c2bda8c7736fd71ce417 -->
compliance-dashboard/src/pages/settings.rs
sharang commented 2026-03-30 07:49:44 +00:00
Author
Owner
Copy Link

[low] Missing type annotations in component function signature

The component function signature pub fn SettingsPage() -> Element is missing explicit type annotations for the return type. While Element might be inferred, explicit typing improves maintainability and prevents potential issues if the return type changes.

Suggested fix: Explicitly annotate the return type as -> Element or use a more specific type if available.

*Scanner: code-review/convention | *

**[low] Missing type annotations in component function signature** The component function signature `pub fn SettingsPage() -> Element` is missing explicit type annotations for the return type. While `Element` might be inferred, explicit typing improves maintainability and prevents potential issues if the return type changes. Suggested fix: Explicitly annotate the return type as `-> Element` or use a more specific type if available. *Scanner: code-review/convention | * <!-- compliance-fp:cba72a929a7b2d5345bb6f78a1f6da588f5c54a8cd615f853b8503fda50a7f60 -->
compliance-dashboard/src/pages/settings.rs
sharang commented 2026-03-30 07:49:45 +00:00
Author
Owner
Copy Link

[high] Sensitive Data Exposure in Frontend

The settings page exposes sensitive configuration values (GitHub token, GitLab token, Jira API token) in the frontend UI through reactive state variables. Even though these are masked as password inputs, the underlying values are stored in memory and could be exposed through debugging tools, browser dev tools, or if the application has any data leakage vulnerabilities.

Suggested fix: Remove the settings page entirely or implement proper backend storage with secure handling of sensitive credentials. Never expose sensitive tokens in frontend state management.

Scanner: code-review/security | CWE: CWE-532

**[high] Sensitive Data Exposure in Frontend** The settings page exposes sensitive configuration values (GitHub token, GitLab token, Jira API token) in the frontend UI through reactive state variables. Even though these are masked as password inputs, the underlying values are stored in memory and could be exposed through debugging tools, browser dev tools, or if the application has any data leakage vulnerabilities. Suggested fix: Remove the settings page entirely or implement proper backend storage with secure handling of sensitive credentials. Never expose sensitive tokens in frontend state management. *Scanner: code-review/security | CWE: CWE-532* <!-- compliance-fp:88282fa8dfb5a2e276a9e83376aa60d40d7f4f0609f5ba29f475fe6cf3cf0ede -->
compliance-dashboard/src/pages/settings.rs
sharang commented 2026-03-30 07:49:44 +00:00
Author
Owner
Copy Link

[medium] Potential Information Disclosure Through Logging

The save button handler logs a message that mentions 'settings are managed via .env' which could inadvertently reveal system configuration details to logs. While this is just informational logging, it's still a potential information disclosure vector.

Suggested fix: Remove the logging statement or make it conditional based on debug level. Avoid including system configuration details in log messages.

Scanner: code-review/security | CWE: CWE-200

**[medium] Potential Information Disclosure Through Logging** The save button handler logs a message that mentions 'settings are managed via .env' which could inadvertently reveal system configuration details to logs. While this is just informational logging, it's still a potential information disclosure vector. Suggested fix: Remove the logging statement or make it conditional based on debug level. Avoid including system configuration details in log messages. *Scanner: code-review/security | CWE: CWE-200* <!-- compliance-fp:1f70b7b2afd41be1a23d376ad02fca8099db1b7b3488c61760d5ee2f7f7ee40c -->
docs/features/deduplication.md
@@ -0,0 +1,61 @@
# Finding Deduplication
sharang commented 2026-03-30 07:49:44 +00:00
Author
Owner
Copy Link

[low] Inconsistent error handling pattern in documentation

The documentation files don't show any error handling patterns, but this is a documentation change rather than code. However, since this appears to be part of a codebase that might include code examples or API documentation, the absence of error handling considerations in these markdown files could indicate a maintenance issue if they're meant to document actual implementation details.

Suggested fix: Consider adding a note about error handling in deduplication logic if this documentation is meant to describe implementation details

*Scanner: code-review/convention | *

**[low] Inconsistent error handling pattern in documentation** The documentation files don't show any error handling patterns, but this is a documentation change rather than code. However, since this appears to be part of a codebase that might include code examples or API documentation, the absence of error handling considerations in these markdown files could indicate a maintenance issue if they're meant to document actual implementation details. Suggested fix: Consider adding a note about error handling in deduplication logic if this documentation is meant to describe implementation details *Scanner: code-review/convention | * <!-- compliance-fp:1acb160549025fd88d6b29d8f6cd72c12514fb1f1d5879bf2f42c24c38f014de -->
docs/features/help-chat.md
@@ -0,0 +25,4 @@
### API Endpoint
```
sharang commented 2026-03-30 07:49:44 +00:00
Author
Owner
Copy Link

[medium] Insecure Direct Object Reference in Help Chat API

The Help Chat API endpoint (/api/v1/help/chat) accepts user messages and history without proper authentication or rate limiting. While this appears to be a frontend feature, if not properly secured, it could allow unauthorized users to query the LLM with arbitrary prompts, potentially leading to prompt injection or excessive API usage.

Suggested fix: Implement proper authentication and authorization checks for the /api/v1/help/chat endpoint. Add rate limiting to prevent abuse and consider validating the message content to prevent prompt injection attacks.

Scanner: code-review/security | CWE: CWE-285

**[medium] Insecure Direct Object Reference in Help Chat API** The Help Chat API endpoint (/api/v1/help/chat) accepts user messages and history without proper authentication or rate limiting. While this appears to be a frontend feature, if not properly secured, it could allow unauthorized users to query the LLM with arbitrary prompts, potentially leading to prompt injection or excessive API usage. Suggested fix: Implement proper authentication and authorization checks for the /api/v1/help/chat endpoint. Add rate limiting to prevent abuse and consider validating the message content to prevent prompt injection attacks. *Scanner: code-review/security | CWE: CWE-285* <!-- compliance-fp:09bc4a54933e346287fc4038614b67bfc4946b70f60e289a8ad948d3e42ae7aa -->
sharang commented 2026-03-30 07:49:45 +00:00
Author
Owner
Copy Link

[medium] Missing type annotations in API endpoint documentation

The API endpoint documentation in help-chat.md lacks explicit type annotations for the request/response fields, which could make it harder for developers to understand expected data structures without referring to external code.

Suggested fix: Add type annotations to the API endpoint schema (e.g., 'message: string', 'history: Array<{role: string, content: string}>')

*Scanner: code-review/convention | *

**[medium] Missing type annotations in API endpoint documentation** The API endpoint documentation in help-chat.md lacks explicit type annotations for the request/response fields, which could make it harder for developers to understand expected data structures without referring to external code. Suggested fix: Add type annotations to the API endpoint schema (e.g., 'message: string', 'history: Array<{role: string, content: string}>') *Scanner: code-review/convention | * <!-- compliance-fp:3e063ee07118dc0af12c2825dd37b47587616ff331a3c03a9b9e955c676ceda4 -->
docs/features/help-chat.md
@@ -0,0 +36,4 @@
{ "role": "assistant", "content": "previous answer" }
]
}
```
sharang commented 2026-03-30 07:49:44 +00:00
Author
Owner
Copy Link

[medium] Hardcoded Default LiteLLM URL

The documentation shows a hardcoded default value for LITELLM_URL (http://localhost:4000) which could expose the system to man-in-the-middle attacks if not properly secured in production environments. This also indicates potential insecure defaults that should be reviewed.

Suggested fix: Remove hardcoded default values for sensitive configuration parameters. Ensure that production deployments require explicit configuration of these values and validate that they use secure protocols (HTTPS).

Scanner: code-review/security | CWE: CWE-312

**[medium] Hardcoded Default LiteLLM URL** The documentation shows a hardcoded default value for LITELLM_URL (`http://localhost:4000`) which could expose the system to man-in-the-middle attacks if not properly secured in production environments. This also indicates potential insecure defaults that should be reviewed. Suggested fix: Remove hardcoded default values for sensitive configuration parameters. Ensure that production deployments require explicit configuration of these values and validate that they use secure protocols (HTTPS). *Scanner: code-review/security | CWE: CWE-312* <!-- compliance-fp:34523ae8522b8ba8a39e4f9beac2ccbb57f231de33de9431bdd0716f71c0f7b9 -->
docs/features/help-chat.md
@@ -0,0 +39,4 @@
```
### Configuration
sharang commented 2026-03-30 07:49:45 +00:00
Author
Owner
Copy Link

[high] Potential Command Injection via Documentation Loading

The Help Chat assistant loads and caches documentation files at startup. If user-controlled input can influence which files are loaded or how they're processed, this could lead to command injection or arbitrary file access. The code doesn't show explicit file loading logic but the documentation mentions loading 'docs/features/' directory which could be vulnerable if paths are not properly sanitized.

Suggested fix: Ensure all documentation file paths are properly validated and sanitized before being used. Implement strict path validation to prevent directory traversal attacks and ensure only intended documentation files are loaded.

Scanner: code-review/security | CWE: CWE-78

**[high] Potential Command Injection via Documentation Loading** The Help Chat assistant loads and caches documentation files at startup. If user-controlled input can influence which files are loaded or how they're processed, this could lead to command injection or arbitrary file access. The code doesn't show explicit file loading logic but the documentation mentions loading 'docs/features/' directory which could be vulnerable if paths are not properly sanitized. Suggested fix: Ensure all documentation file paths are properly validated and sanitized before being used. Implement strict path validation to prevent directory traversal attacks and ensure only intended documentation files are loaded. *Scanner: code-review/security | CWE: CWE-78* <!-- compliance-fp:2cff713a203dcbbe3c60c0d4e3889bcccb13a607ecbbf2ee4e1f851600685d4e -->
docs/features/overview.md
@@ -3,3 +3,1 @@
The Overview page is the landing page of Certifai. It gives you a high-level view of your security posture across all tracked repositories.
![Dashboard overview with stats cards, severity distribution, AI chat, and MCP servers](/screenshots/dashboard-overview.png)
The Overview page is the landing page of the Compliance Scanner. It gives you a high-level view of your security posture across all tracked repositories.
sharang commented 2026-03-30 07:49:45 +00:00
Author
Owner
Copy Link

[medium] Inconsistent terminology between documentation files

The term 'Compliance Scanner' is used in overview.md while 'Certifai' was previously used in the same location, indicating inconsistency in naming conventions across documentation files.

Suggested fix: Standardize on 'Compliance Scanner' throughout the documentation to maintain consistency

*Scanner: code-review/convention | *

**[medium] Inconsistent terminology between documentation files** The term 'Compliance Scanner' is used in overview.md while 'Certifai' was previously used in the same location, indicating inconsistency in naming conventions across documentation files. Suggested fix: Standardize on 'Compliance Scanner' throughout the documentation to maintain consistency *Scanner: code-review/convention | * <!-- compliance-fp:f38e9b654734b539654c468273f62bb5bc3c068b3ff5d67b939d2f04e41fc7be -->
sharang merged commit a8bb05d7b1 into main 2026-03-30 08:05:30 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
sharang
Labels
Clear labels
bug
critical
enhancement
high
infrastructure
performance
security
v0.3.0
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
sharang
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: sharang/compliance-scanner-agent#51
Delete Branch "feat/help-chat-widget"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?