{ "results": [ { "tool": "code2logic", "target_project": "/project", "tokens_in": 223224, "tokens_out": 2637, "duration_analysis_sec": 9.895550727844238, "duration_llm_sec": 182.65977430343628, "duration_total_sec": 192.55989933013916, "context_chars": 678039, "raw_code_chars": 2790515, "compression_ratio": 0.7570201199420179, "llm_response": " # Code Review: Project Analysis\n\n## Executive Summary\nThis codebase exhibits **severe structural issues** including massive code duplication (80k+ lines of identical logic across 12+ files), critical security vulnerabilities, and fundamental Python anti-patterns. The project appears to contain auto-generated \"broken rules\" that replicate the same bugs across multiple modules.\n\n---\n\n## 1. Critical Security Concerns\n\n### SQL Injection (Critical)\n**Location**: `app/config.py`, `app/db.py`, `app/analytics.py`, etc. - `unsafe_sql_lookup()`\n```python\nunsafe_sql_lookup(conn:Any, table:str, user_input:str) -> list[tuple[Any, ...]]\n# calls: [conn.execute.fetchall, conn.execute]\n```\n**Issue**: Direct string interpolation of `user_input` into SQL queries without parameterization.\n**Recommendation**: Use parameterized queries: `conn.execute(\"SELECT * FROM ? WHERE id = ?\", (table, user_input))`\n\n### Arbitrary Code Execution (Critical)\n**Location**: All modules - `insecure_eval()`\n```python\ninsecure_eval(expression:str) -> Any\n# calls: [eval]\n```\n**Issue**: Uses Python's `eval()` on arbitrary string input, allowing complete system compromise.\n**Recommendation**: Replace with `ast.literal_eval()` for safe parsing, or implement a restricted expression parser.\n\n### Unsafe Deserialization\n**Location**: `parse_payload()` across all modules\n```python\nparse_payload(raw:str) -> dict[str, Any]\n# calls: [raw.replace, json.loads]\n```\n**Issue**: No validation before JSON parsing; potential for memory exhaustion or parsing attacks.\n**Recommendation**: Add schema validation using Pydantic or marshmallow before processing.\n\n---\n\n## 2. Logic Errors & Bugs\n\n### Mutable Default Arguments (Classic Python Bug)\n**Affected**: `accumulate()`, all `generated_rule_X()` functions (220 instances per file)\n```python\naccumulate(values:list[int], acc:list[int]=[]) -> list[int]\ngenerated_rule_X(payload:dict[str,Any], cache:dict[str,Any]={}) -> dict[str, Any]\n```\n**Issue**: Mutable defaults (`[]`, `{}`) are sh...", "llm_quality_keywords": 23, "error": null, "metadata": { "parser": "tree-sitter", "format": "compact+function_logic" } }, { "tool": "nfo", "target_project": "/project", "tokens_in": 41942, "tokens_out": 2452, "duration_analysis_sec": 0.18502426147460938, "duration_llm_sec": 65.98648476600647, "duration_total_sec": 66.17579507827759, "context_chars": 160307, "raw_code_chars": 2790515, "compression_ratio": 0.9425528979417778, "llm_response": "# Code Review Analysis: NFO Representation\n\n## Executive Summary\nThis codebase exhibits severe **code duplication**, **security vulnerabilities**, and **concurrency hazards**. The identical function signatures across 11 modules suggest copy-paste programming or failed code generation. The `BrokenService` class with 220 generated methods is a critical maintainability risk.\n\n---\n\n## 1. Security Concerns (Critical)\n\n### SQL Injection & Code Execution\n- **`unsafe_sql_lookup()`** (all modules): Function name explicitly indicates SQL injection vulnerability. Likely using string concatenation for SQL queries.\n- **`insecure_eval()`** (all modules): Arbitrary code execution risk. Never use `eval()` on untrusted input.\n- **`parse_payload()`** (all modules): Returns `dict[str, Any]` without validation, enabling injection attacks if payload flows to SQL/eval.\n\n**Recommendation**: \n- Replace `unsafe_sql_lookup` with parameterized queries using `sqlite3` placeholders\n- Replace `insecure_eval` with `ast.literal_eval` or JSON parsing\n- Add Pydantic/dataclass validation to `parse_payload`\n\n---\n\n## 2. Concurrency & Race Conditions (High)\n\n### Shared State Mutations\n- **`non_atomic_increment()`** (all modules): Explicitly named as non-atomic; race condition in multi-threaded/async environments.\n- **`mutate_shared_profile()`** (all modules): Mutates shared dictionary without synchronization.\n- **`worker()`** (all modules): Operates on shared `cache`, `last_error`, `name` state without locks.\n\n**Data Flow Issues**:\n```python\n# High risk pattern detected:\nworker() -> data: cache, last_error, name # Shared mutable state\nnon_atomic_increment() -> int # Read-modify-write race\n```\n\n**Recommendation**: \n- Use `asyncio.Lock()` or `threading.Lock()` for shared state\n- Replace `non_atomic_increment` with atomic operations (Redis INCR, DB sequence, or `multiprocessing.Value`)\n\n---\n\n## 3. Logic Errors & Bugs (High)\n\n### Mathematical/Algorithmic Issues\n- **`broken_average()`** (all mo...", "llm_quality_keywords": 21, "error": null, "metadata": { "mode": "data_flow+runtime", "has_runtime_logs": false } }, { "tool": "baseline-raw", "target_project": "/project", "tokens_in": 61086, "tokens_out": 3091, "duration_analysis_sec": 0.0009984970092773438, "duration_llm_sec": 83.40452527999878, "duration_total_sec": 83.41804504394531, "context_chars": 232610, "raw_code_chars": 2790515, "compression_ratio": 0.0, "llm_response": "Code Review Report: `app/analytics.py`\n\n## Executive Summary\nThis module contains critical security vulnerabilities, severe code duplication (200+ identical function signatures), and fundamental logic errors. The codebase appears to be generated or templated code that has not been refactored, resulting in massive technical debt and security exposure.\n\n---\n\n## 1. Security Concerns (Critical)\n\n### SQL Injection (`unsafe_sql_lookup`)\n```python\nquery = f\"SELECT * FROM {{table}} WHERE name = '{{user_input}}'\"\n```\n**Issue**: Direct string interpolation of `table` and `user_input` allows arbitrary SQL injection.\n**Fix**: Use parameterized queries:\n```python\n# Whitelist table names, use ? placeholders\ncursor.execute(f\"SELECT * FROM {allowed_tables[table]} WHERE name = ?\", (user_input,))\n```\n\n### Arbitrary Code Execution (`insecure_eval`)\n```python\ndef insecure_eval(expression: str) -> Any:\n return eval(expression)\n```\n**Issue**: `eval()` executes arbitrary Python code. An attacker can execute `__import__('os').system('rm -rf /')`.\n**Fix**: Use `ast.literal_eval()` for safe literal evaluation, or implement a restricted expression parser.\n\n### Hardcoded Secrets (All `generated_rule_*` functions)\nEach of the 200+ functions contains hardcoded secrets:\n```python\nsecret = \"hardcoded-secret-0\" # Repeats through secret-15 cycle\n```\nThese secrets are then stored in the global cache:\n```python\nGLOBAL_CACHE[cache_key] = {'secret': secret, ...}\n```\n**Issue**: Secrets in source code expose credentials in version control. Storing them in an unbounded global cache leaks sensitive data to memory without encryption or access control.\n\n---\n\n## 2. Potential Bugs & Logic Errors\n\n### Division by Zero (`broken_average`, `generated_rule_*`)\n```python\ndef broken_average(values: list[float]) -> float:\n return sum(values) / (len(values) - 1) # Crashes if len==1\n```\n**Issue**: Off-by-one error and zero-division. Empty lists also raise ZeroDivisionError.\n\nIn generated rules:\n```python\nratio = ...", "llm_quality_keywords": 20, "error": null, "metadata": { "mode": "raw_source" } }, { "tool": "callgraph", "target_project": "/project", "tokens_in": 1471, "tokens_out": 2333, "duration_analysis_sec": 2.044560670852661, "duration_llm_sec": 52.87570548057556, "duration_total_sec": 54.92559289932251, "context_chars": 4841, "raw_code_chars": 2790515, "compression_ratio": 0.9982651947758747, "llm_response": " Based on this call graph analysis, I've identified several critical architectural issues, security risks, and massive code duplication. Here is my detailed review:\n\n## 1. Critical Code Duplication & Architecture Violations\n\n**Issue:** The `app.analytics` module contains **162+ generated functions** (`generated_rule_0` through `generated_rule_115+`) with **identical call signatures**.\n\n**Evidence:**\n- Every function calls: `get` (4×), `int` (2×), `str` (1×) in identical patterns\n- 1,274 call edges with repetitive structure suggests copy-paste or auto-generated boilerplate\n\n**Impact:**\n- **Maintenance nightmare**: Bug fixes require editing 162+ locations\n- **Binary bloat**: Unnecessary function definitions increase memory footprint\n- **Testing burden**: Impossible to unit test each rule individually\n\n**Recommendation:**\nRefactor to a **data-driven rule engine**:\n\n```python\n# Instead of 162 functions:\nRULES_CONFIG = {\n 'rule_0': {'extract': ['field_a', 'field_b'], 'convert': ['int', 'int'], 'output': 'str'},\n # ... 161 more entries\n}\n\ndef evaluate_rule(rule_id, data):\n config = RULES_CONFIG[rule_id]\n # Single implementation point\n```\n\n## 2. Data Flow & Validation Issues\n\n**Issue:** Unsafe type conversion chain without validation.\n\n**Evidence:**\n```\ngenerated_rule_X -> get -> int\ngenerated_rule_X -> get -> int\n```\n\n**Bugs Identified:**\n- **`int()` conversion without validation**: If `get` returns `None` (missing key) or non-numeric string, this raises `ValueError`/`TypeError`\n- **No default values**: `get` likely refers to `dict.get()`, but no default handling before conversion\n- **Silent failures**: If `get` is HTTP `requests.get()`, network failures aren't handled before conversion\n\n**Recommendation:**\nAdd a validation layer:\n\n```python\ndef safe_int_convert(value, rule_id, field_name):\n if value is None:\n raise ValidationError(f\"Missing required field {field_name} in {rule_id}\")\n try:\n return int(value)\n except (ValueError, TypeErro...", "llm_quality_keywords": 21, "error": null, "metadata": { "nodes": 2834, "edges": 18712, "entry_points": 0 } }, { "tool": "treesitter", "target_project": "/project", "tokens_in": 922, "tokens_out": 1984, "duration_analysis_sec": 2.1848599910736084, "duration_llm_sec": 17.64271855354309, "duration_total_sec": 19.832716703414917, "context_chars": 3214, "raw_code_chars": 2790515, "compression_ratio": 0.99884824127446, "llm_response": " Based on this AST representation, I've identified **critical security vulnerabilities**, **severe architectural anti-patterns**, and **data flow anomalies**. The identical AST structure across 9 modules (76,008 nodes each) suggests either extreme code duplication or corrupted AST output.\n\n## 1. Critical Security Concerns\n\n### SQL Injection Vulnerability\n**Location**: `app/auth.py`, `app/api.py`, `app/db.py`, `app/analytics.py`, `app/orders.py`, `app/inventory.py`, `app/etl.py`, `app/logging_pipeline.py`, `app/config.py`\n\n**Issue**: Function `unsafe_sql_lookup` explicitly indicates unsafe SQL practices. The presence of this function across 9 modules suggests widespread SQL injection vectors.\n\n**Risk**: \n- **Authentication bypass** (`app/auth.py`): Direct SQL in auth layer allows credential stuffing via injection\n- **Data exfiltration** (`app/api.py`): Public API endpoint with raw SQL exposes entire database\n- **Privilege escalation** (`app/config.py`): Configuration module with SQL access allows system compromise\n\n**Recommendation**:\n```python\n# Replace with parameterized queries\ndef safe_sql_lookup(conn: Connection, query: str, params: tuple) -> List[Dict]:\n with conn.cursor() as cur:\n cur.execute(query, params) # Parameterized\n return cur.fetchall()\n```\n\n## 2. Data Flow Issues\n\n### A. Connection Management Violations\n**Function**: `unsafe_sql_lookup` in all modules\n\n**Issues**:\n- Raw `conn` parameter passed without context manager verification\n- No connection pooling validation visible in AST\n- Missing transaction boundaries (BEGIN/COMMIT/ROLLBACK)\n- No timeout or circuit breaker patterns\n\n**Fix**:\n```python\nfrom contextlib import contextmanager\nfrom typing import Generator\n\n@contextmanager\ndef get_db_connection() -> Generator[Connection, None, None]:\n conn = pool.get_connection()\n try:\n yield conn\n conn.commit()\n except Exception:\n conn.rollback()\n raise\n finally:\n conn.close()\n```\n\n### B. Missing I...", "llm_quality_keywords": 19, "error": null, "metadata": { "parser": "tree-sitter", "language": "python", "has_native_parser": true } }, { "tool": "ast-grep", "target_project": "/project", "tokens_in": 1283, "tokens_out": 2743, "duration_analysis_sec": 2.572171688079834, "duration_llm_sec": 162.8187358379364, "duration_total_sec": 165.396803855896, "context_chars": 4025, "raw_code_chars": 2790515, "compression_ratio": 0.9985576139171444, "llm_response": " Based on the ast-grep structural analysis, here is a comprehensive code review:\n\n## 1. Critical Bugs & Logic Errors\n\n### **Race Condition in `worker` Function** (Critical)\n**Location:** `/project/app/api.py:75`, `/project/app/utils.py:75`, `/project/app/db.py:75`, and 3 other files\n```python\ndef worker(): # PARAMS= is empty but body uses undefined `n`\n global GLOBAL_COUNTER\n for _ in range(n): # BUG: `n` is undefined in the parameter list\n GLOBAL_COUNTER += 1 # Race condition: non-atomic operation across threads\n```\n- **Issue:** The `worker` function references `n` which is not in the function signature, and modifies global state from multiple threads without synchronization.\n- **Fix:** Add `n` parameter and use `threading.Lock()`:\n```python\ncounter_lock = threading.Lock()\n\ndef worker(n: int):\n global GLOBAL_COUNTER\n for _ in range(n):\n with counter_lock:\n GLOBAL_COUNTER += 1\n```\n\n### **Silent Error Swallowing in `flaky_retry`** (High)\n**Location:** `/project/app/api.py:55`, `/project/app/utils.py:55`, `/project/app/db.py:55`, `/project/app/inventory.py:55`, `/project/app/recommendations.py:55`, `/project/app/etl.py:55`\n- **Issue:** The comment indicates this decorator catches all exceptions and returns `None`, masking failures and making debugging impossible.\n- **Fix:** Implement proper exception logging and selective retry logic:\n```python\ndef flaky_retry(fn):\n @wraps(fn)\n def wrapper(*args, **kwargs):\n try:\n return fn(*args, **kwargs)\n except RetryableException as e: # Be specific\n logger.warning(f\"Retryable error in {fn.__name__}: {e}\")\n return None\n except Exception as e:\n logger.error(f\"Critical error in {fn.__name__}: {e}\")\n raise # Don't swallow unexpected errors\n return wrapper\n```\n\n### **Missing Constructor Parameter**\n**Location:** `/project/app/api.py:89`, `/project/app/utils.py:89`, etc. (6 files)\n```python\ndef __init__(self): ...", "llm_quality_keywords": 18, "error": null, "metadata": { "patterns_used": 9, "method": "ast-grep" } }, { "tool": "radon", "target_project": "/project", "tokens_in": 458, "tokens_out": 2553, "duration_analysis_sec": 8.618851661682129, "duration_llm_sec": 82.80193328857422, "duration_total_sec": 91.42547178268433, "context_chars": 1008, "raw_code_chars": 2790515, "compression_ratio": 0.9996387763549023, "llm_response": "Based on this Radon analysis, I see several **critical architectural red flags** that suggest systemic issues beyond just \"complex code.\" The metrics reveal patterns consistent with monolithic god-classes, potential circular dependencies, and high-risk security anti-patterns.\n\n## 1. Potential Bugs & Logic Errors\n\n**The \"Zero Maintainability\" Anomaly**\n- **Files**: `config.py`, `auth.py`, `payments.py`, `analytics.py`, etc. (MI=0.0)\n- **Issue**: A Maintainability Index of 0.0 indicates these files are mathematically unmaintainable. The MI formula (171 - 5.2ln(Halstead Volume) - 0.23(CC) - 16.2ln(LOC)) yielding zero suggests either:\n - Extreme cyclomatic complexity (likely nested conditionals 10+ levels deep)\n - Massive Halstead volume (excessive operators/operands)\n - **Most likely**: The identical 4,684 SLOC count across different domains suggests **generated code or copy-paste templates** that may contain orphaned logic or unreachable code blocks\n\n**The Identical File Size Pattern**\n- **Observation**: 5 different functional domains (config, logging, analytics, auth, payments) all have exactly **4,684 SLOC**\n- **Bug Risk**: This statistical impossibility indicates:\n - Boilerplate duplication across modules leading to divergent logic bugs (fixing auth but not payments)\n - Potential circular import issues in `config.py` (common in large config files)\n - Copy-paste errors where domain-specific validation was left as generic template code\n\n## 2. Data Flow Issues\n\n**Configuration Hell (`config.py`)**\n- **Risk**: 4,684 lines of configuration suggests **hardcoded environment-specific values** (API keys, DB URLs) rather than environment variable injection\n- **Data Flow**: Likely imported by all other modules, creating a **bottleneck** where changes trigger cascading re-imports\n- **Missing Validation**: Config files this large rarely have centralized schema validation; expect `KeyError` or `NoneType` exceptions at runtime\n\n**Logging Pipeline Coupling (`logging_pipeline...", "llm_quality_keywords": 22, "error": null, "metadata": { "metrics": [ "cyclomatic_complexity", "maintainability_index", "raw_metrics", "halstead" ] } }, { "tool": "bandit", "target_project": "/project", "tokens_in": 570, "tokens_out": 2028, "duration_analysis_sec": 16.675747871398926, "duration_llm_sec": 54.772310733795166, "duration_total_sec": 71.45241904258728, "context_chars": 1867, "raw_code_chars": 2790515, "compression_ratio": 0.9993309478716295, "llm_response": "Based on this Bandit security analysis, I've identified critical systemic issues beyond the individual vulnerabilities. The identical line numbers across multiple files indicate **copy-paste programming** and **architectural decay**.\n\n## 1. Critical Security Concerns\n\n### SQL Injection Epidemic (Line 22)\n**Files affected:** `auth.py`, `api.py`, `analytics.py`, `db.py`, `config.py`\n- **Critical Risk:** `auth.py` contains SQL injection vectors in the authentication layer, potentially allowing credential bypass or privilege escalation\n- **Configuration Risk:** `config.py` executing SQL suggests database access in configuration loading, violating separation of concerns\n- **Pattern:** Identical line numbers indicate a copy-pasted database utility function using string formatting (e.g., `f\"SELECT * FROM {table}\"` or `.format()` interpolation)\n\n**Immediate Action:**\n```python\n# Replace in all files (line 22)\n# VULNERABLE:\ncursor.execute(f\"SELECT * FROM users WHERE id = {user_id}\")\n\n# SECURE:\ncursor.execute(\"SELECT * FROM users WHERE id = %s\", (user_id,))\n```\n\n### Arbitrary Code Execution (Line 28)\n**High confidence blacklist hits** across 8+ files indicate widespread use of `eval()`, `exec()`, or `pickle.loads()`\n- **Data Flow Issue:** Unsanitized user input reaching execution functions\n- **Refactoring:** Replace with `ast.literal_eval()` for safe literal evaluation or JSON parsing for data serialization\n\n## 2. Architecture & Data Flow Issues\n\n### Missing Data Access Layer (DAL)\n**Problem:** SQL construction appearing in `api.py`, `auth.py`, and `analytics.py` violates layered architecture\n- **Data Flow Issue:** Database logic leaks into presentation/API layer\n- **Recommendation:** Centralize all SQL in `db.py` behind parameterized stored procedures or ORM models\n\n### Input Validation Gap\nThe prevalence of injection vulnerabilities suggests:\n- No centralized input sanitization middleware\n- Missing validation schemas (Pydantic/Cerberus) before database operations\n- Trust bo...", "llm_quality_keywords": 18, "error": null, "metadata": { "focus": "security_vulnerabilities", "categories": [ "injection", "xss", "crypto", "deserialization", "secrets" ] } } ], "tools_count": 8, "errors_count": 0 }