For a lot of things (especially usages) jedi's completely lazy approach is not good enough. It is probably better to use a database index cache. The index will basically be a graph that saves all the type inference findings.

This is just an issue for discussion and collection of possible ideas.

Steps to reproduce

With the following example code i encounter warnings that should not pop up.
It does not seem to be fixed i

The in-progress dev docs have a section on developer workflow: https://google.github.io/pytype/developers/index.html. We also have https://github.com/google/pytype/blob/master/CONTRIBUTING.md. They read like standalone docs with no knowledge of each other and contain different, occasionally overlapping (but at least not contradicting, I think) information. We should coordinate them in some way so

I wrote some of the code to do this in a branch https://github.com/python-security/pyt/compare/class_based_views, but since I'm working on other things and this feature seems cool and important I'm making this issue 👍

Let me know if you would like any help in implementing.

• incremental CTU (on the fly CTU with skip files) feature usage configuration, limitations when ready
• web UI usage
  • how to compare the previous (marked by tag, use the date filter) results of two runs (same run?)
• more simple and advanced use case examples
  • CI job for a quality review (check for high severity results and fail the job if any)
  • usage of the upcoming f

Currently, engine does not support matching vulnerabilities against the busybox "package" itself. Detected applications are scanned (npm, python, java, etc), but because there aren't os packages as with Centos, Deb, etc there is no "os package" vuln scanning support.

The solution is to add a virtual package to the anchore analysis for the busybox binary itself, which anchore already detects as

Is your feature request related to a problem? Please describe.
Want to use package like zxcvbn as part of the filtering. Motivating Golang is gosec hardcoded config check

Describe the solution you'd like

- pattern-where-python: |
   import zxcvbn
   zxcvbn.PasswordStrength(vars["$MYVAR"]) > 80.0

OAI ensures the contents of the S3 bucket remain private and prevent people from bypassing CloudFront to access content

Checkov may need to do a multiple resource check for this… (Both the CFN Distro and backing S3 bucket)

Landscape currently detects 43 code smells here
https://landscape.io/github/OrkoHunter/pep8speaks/17/messages/smell

Not all, but most of them should be easy to fix.

When the slither-check-upgradeability is run after slither was used previously on a truffle project which was build and whose code has changed (i.e. files removed/added) the tool could suggest to make a clean-rebuild of the project when failing like this:

$ slither-check-upgradeability . SomeContractProxy . SomeContract
ERROR:CryticCompile:- Fetching solc version list from solc-bin. Att

not so trivial and could save time.

client should have python3.x installed (that's trivial), rename the ~/ida7.4/plugins/idapython*.disabled and run ~/ida7.4/idapyswitch.

btw, great project.

Per #2, deque cannot be analyzed symbolically. Tentative plan is to implement a "dumb" version on top of a generic list: https://github.com/pschanely/CrossHair/blob/56ce14ee44c1103121c483f479d3d1a5a4bd3438/crosshair/simplestructs.py#L57

This program is super useful! I have built it in to my git pre-commit hook so that it runs before every commit, but that means every single time I have to wait for the search index to "update" even when I haven't made any changes to the documentation.

It would be really cool to build in a functionality that the full program would only run if the documentation had changed. For instance, you co

Description

Currently add_failure takes the values required to create a failure, creates it then adds it to the Result object's failed_rules
On the other hand add_warning takes a Failure object directly.

Proposed solution

The methods should be updated so that they both have the same behavior (or maybe even just add an add_finding method which takes a type that can be either Failure o

At link time (and using the compiler flags described here http://gcc-python-plugin.readthedocs.io/en/latest/lto.html?highlight=supergraph) I always get None for the function object. The example script outputs an empty png.

for node in get_callgraph_nodes():
           fun = node.decl.function
           if fun:
               for edge in node.callees:

Currently rstcheck is hard coded to ignore Sphinx RST extensions via:

https://github.com/myint/rstcheck/blob/v3.3.1/rstcheck.py#L163

If sphinx is installed, it get the current information, otherwise defaults to a hard coded list of roles and directives. This makes sense as a default behaviour.

However, not everyone uses Sphinx, and in that case it would be useful to be able to disable

Write a section under Help, in the visualiser, to make clearer what each metric and issue means. For instance, provide basic instructions on how to fix high Cyclomatic Complexity numbers, and so on.

It appears like Visual Studio 2019 with SARIF viewer extension is not working quite well.

• Visual Studio is expecting the version attribute to be at the top! When we do to_json(sarif schema) the attributes are getting sorted alphabetically so the runs attribute is on the top and version is at the bottom. We need to find a workaround for this
• Our url encode is encoding and converting the