Mostly safe โ a couple of notes worth reading.
Scanned 5/3/2026, 6:28:31 PMยทCached resultยทFast Scanยท45 rulesยทHow we decide โ
AIVSS Score
Low
Severity Breakdown
0
critical
0
high
37
medium
49
low
MCP Server Information
Findings
This package receives a B grade with a safety score of 71/100 and poses moderate risk, primarily due to 37 medium-severity issues concentrated in readiness and server configuration gaps. The 49 low-severity readiness findings suggest incomplete implementation practices, while specific concerns around ANSI escape injection, verbose error handling, and resource exhaustion vulnerabilities warrant review before deployment. Installation is acceptable for non-critical environments if you can address the configuration and readiness gaps, but production use should be deferred pending remediation of the medium-severity issues.
No known CVEs found for this package or its dependencies.
Scan Details
Want deeper analysis?
Fast scan found 86 findings using rule-based analysis. Upgrade for LLM consensus across 5 judges, AI-generated remediation, and cross-file taint analysis.
Building your own MCP server?
Same rules, same LLM judges, same grade. Private scans stay isolated to your account and never appear in the public registry. Required for code your team hasnโt shipped yet.
Showing 1โ30 of 86 findings
86 findings
Service binds to 0.0.0.0 โ all network interfaces. For MCP servers that only need to talk to a single parent process, bind to 127.0.0.1 (or a Unix domain socket) instead.
Evidence
| 1571 | if __name__ == "__main__": |
| 1572 | import uvicorn |
| 1573 | uvicorn.run(app, host="0.0.0.0", port=9001, reload=False) |
Remediation
Bind to 127.0.0.1 for local-only access. If cross-host access is truly required, put the service behind an authenticated reverse proxy rather than exposing it on 0.0.0.0.
Service binds to 0.0.0.0 โ all network interfaces. For MCP servers that only need to talk to a single parent process, bind to 127.0.0.1 (or a Unix domain socket) instead.
Evidence
| 544 | def main(): |
| 545 | """Run hosted API server.""" |
| 546 | import uvicorn |
| 547 | uvicorn.run(app, host="0.0.0.0", port=8080) |
| 548 | |
| 549 | |
| 550 | if __name__ == "__main__": |
Remediation
Bind to 127.0.0.1 for local-only access. If cross-host access is truly required, put the service behind an authenticated reverse proxy rather than exposing it on 0.0.0.0.
Service binds to 0.0.0.0 โ all network interfaces. For MCP servers that only need to talk to a single parent process, bind to 127.0.0.1 (or a Unix domain socket) instead.
Evidence
| 60 | ```bash |
| 61 | cd C:\Users\johns\projects\tradememory-protocol |
| 62 | .venv\Scripts\activate |
| 63 | uvicorn scripts.mt5_sync_v3:app --port 9001 --host 0.0.0.0 |
| 64 | ``` |
| 65 | |
| 66 | ๆ็จ bat ๆช๏ผๅซ watchdog ่ชๅ้ๅ๏ผ๏ผ |
Remediation
Bind to 127.0.0.1 for local-only access. If cross-host access is truly required, put the service behind an authenticated reverse proxy rather than exposing it on 0.0.0.0.
Service binds to 0.0.0.0 โ all network interfaces. For MCP servers that only need to talk to a single parent process, bind to 127.0.0.1 (or a Unix domain socket) instead.
Evidence
| 4 | env: python |
| 5 | branch: master |
| 6 | buildCommand: pip install -e . |
| 7 | startCommand: uvicorn hosted.server:app --host 0.0.0.0 --port $PORT |
| 8 | plan: free |
| 9 | envVars: |
| 10 | - key: TM_HOSTED_DB |
Remediation
Bind to 127.0.0.1 for local-only access. If cross-host access is truly required, put the service behind an authenticated reverse proxy rather than exposing it on 0.0.0.0.
Service binds to 0.0.0.0 โ all network interfaces. For MCP servers that only need to talk to a single parent process, bind to 127.0.0.1 (or a Unix domain socket) instead.
Evidence
| 25 | echo [%date% %time%] Launching uvicorn scripts.mt5_sync_v3:app ... |
| 26 | echo [%date% %time%] Launching uvicorn ... >> "%LOG_DIR%\mt5_sync_v3_start.log" |
| 27 | |
| 28 | uvicorn scripts.mt5_sync_v3:app --port 9001 --host 0.0.0.0 |
| 29 | |
| 30 | echo [%date% %time%] uvicorn exited (code: %ERRORLEVEL%). Restarting in 30s... >> "%LOG_DIR%\mt5_sync_v3_start.log" |
| 31 | echo [%date% %time%] uvicorn exited. Restarting in 30s... |
Remediation
Bind to 127.0.0.1 for local-only access. If cross-host access is truly required, put the service behind an authenticated reverse proxy rather than exposing it on 0.0.0.0.
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 114 | ) |
| 115 | |
| 116 | if response.status_code != 200: |
| 117 | print(f"[ERROR] API request failed: {response.status_code}") |
| 118 | print(response.text) |
| 119 | return None |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 253 | return True |
| 254 | |
| 255 | except requests.exceptions.RequestException as e: |
| 256 | print(f"[ERROR] API request failed for {trade_id}: {e}") |
| 257 | return False |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 161 | ) |
| 162 | |
| 163 | if response.status_code != 200: |
| 164 | print(f"[ERROR] API request failed: {response.status_code}") |
| 165 | print(response.text) |
| 166 | return None |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.
Evidence
| 69 | ) |
| 70 | |
| 71 | if response.status_code != 200: |
| 72 | print(f"[ERROR] API request failed: {response.status_code}") |
| 73 | print(response.text) |
| 74 | return None |
Remediation
Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.
Full exception detail or stack trace returned to the caller. Leaking tracebacks exposes internal paths, library versions, and query structure โ useful recon for attackers.
Evidence
| 221 | print(f"\n LLM ERROR: {e}") |
| 222 | print(f" This might be a rate limit or API issue.") |
| 223 | await llm.close() |
| 224 | return {"error": str(e)} |
| 225 | except Exception as e: |
| 226 | print(f"\n UNEXPECTED ERROR: {type(e).__name__}: {e}") |
| 227 | import traceback |
Remediation
Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.
Full exception detail or stack trace returned to the caller. Leaking tracebacks exposes internal paths, library versions, and query structure โ useful recon for attackers.
Evidence
| 764 | else: |
| 765 | return {"error": f"Unsupported trade log format: {format}", "disclaimer": DISCLAIMER} |
| 766 | except (FileNotFoundError, ValueError) as e: |
| 767 | return {"error": str(e), "disclaimer": DISCLAIMER} |
| 768 | |
| 769 | if not trades: |
| 770 | return {"error": "No valid trades parsed from CSV", "disclaimer": DISCLAIMER} |
Remediation
Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.
Full exception detail or stack trace returned to the caller. Leaking tracebacks exposes internal paths, library versions, and query structure โ useful recon for attackers.
Evidence
| 1104 | except FileNotFoundError as e: |
| 1105 | return {"error": str(e), "hint": "Provide the full absolute path to your CSV file."} |
| 1106 | except ValueError as e: |
| 1107 | return {"error": str(e)} |
| 1108 | except Exception as e: |
| 1109 | logger.error("validate_strategy failed: %s", e) |
| 1110 | return {"error": f"Validation failed: {e}"} |
Remediation
Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.
Full exception detail or stack trace returned to the caller. Leaking tracebacks exposes internal paths, library versions, and query structure โ useful recon for attackers.
Evidence
| 227 | import traceback |
| 228 | traceback.print_exc() |
| 229 | await llm.close() |
| 230 | return {"error": str(e)} |
| 231 | |
| 232 | elapsed = time.time() - start_time |
Remediation
Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.
Full exception detail or stack trace returned to the caller. Leaking tracebacks exposes internal paths, library versions, and query structure โ useful recon for attackers.
Evidence
| 1102 | num_strategies=num_strategies, |
| 1103 | ) |
| 1104 | except FileNotFoundError as e: |
| 1105 | return {"error": str(e), "hint": "Provide the full absolute path to your CSV file."} |
| 1106 | except ValueError as e: |
| 1107 | return {"error": str(e)} |
| 1108 | except Exception as e: |
Remediation
Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.
Full exception detail or stack trace returned to the caller. Leaking tracebacks exposes internal paths, library versions, and query structure โ useful recon for attackers.
Evidence
| 76 | } |
| 77 | except Exception as e: |
| 78 | logger.warning("DSR computation failed: %s", e) |
| 79 | return {"verdict": "ERROR", "error": str(e)} |
| 80 | |
| 81 | |
| 82 | async def run_full_experiment( |
Remediation
Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.
Full exception detail or stack trace returned to the caller. Leaking tracebacks exposes internal paths, library versions, and query structure โ useful recon for attackers.
Evidence
| 270 | try: |
| 271 | tf = _resolve_timeframe(timeframe) |
| 272 | except ValueError as e: |
| 273 | return {"error": str(e)} |
| 274 | |
| 275 | # Get data |
| 276 | if series is None: |
Remediation
Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.
Full exception detail or stack trace returned to the caller. Leaking tracebacks exposes internal paths, library versions, and query structure โ useful recon for attackers.
Evidence
| 123 | except Exception as e: |
| 124 | print(f" ERROR fetching from Binance: {e}") |
| 125 | await binance.close() |
| 126 | return {"error": str(e)} |
| 127 | |
| 128 | await binance.close() |
Remediation
Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.
Full exception detail or stack trace returned to the caller. Leaking tracebacks exposes internal paths, library versions, and query structure โ useful recon for attackers.
Evidence
| 164 | return compute_dsr(sharpe_raw=sharpe, num_obs=n_trades, num_trials=1) |
| 165 | return {"verdict": "INSUFFICIENT_DATA", "sharpe_raw": round(sharpe, 6)} |
| 166 | except Exception as e: |
| 167 | return {"verdict": "ERROR", "error": str(e)} |
| 168 | |
| 169 | |
| 170 | # --------------------------------------------------------------------------- |
Remediation
Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.
Full exception detail or stack trace returned to the caller. Leaking tracebacks exposes internal paths, library versions, and query structure โ useful recon for attackers.
Evidence
| 175 | except LLMError as e: |
| 176 | print(f"\n LLM ERROR: {e}") |
| 177 | await llm.close() |
| 178 | return {"error": str(e)} |
| 179 | except Exception as e: |
| 180 | print(f"\n UNEXPECTED ERROR: {type(e).__name__}: {e}") |
| 181 | import traceback |
Remediation
Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.
Full exception detail or stack trace returned to the caller. Leaking tracebacks exposes internal paths, library versions, and query structure โ useful recon for attackers.
Evidence
| 181 | import traceback |
| 182 | traceback.print_exc() |
| 183 | await llm.close() |
| 184 | return {"error": str(e)} |
| 185 | |
| 186 | elapsed = time.time() - start_time |
Remediation
Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.
Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).
Evidence
| 142 | ๆ็จ Python๏ผ |
| 143 | ```python |
| 144 | import requests |
| 145 | r = requests.get('http://localhost:8000/trade/get_active') |
| 146 | print(r.json()) |
| 147 | ``` |
Remediation
Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.
Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).
Evidence
| 11 | - tradememory-data:/app/data |
| 12 | restart: unless-stopped |
| 13 | healthcheck: |
| 14 | test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8080/api/v1/health')"] |
| 15 | interval: 30s |
| 16 | timeout: 5s |
| 17 | retries: 3 |
Remediation
Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.
Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).
Evidence
| 91 | Args: |
| 92 | symbols: List of trading pairs (default: ["BTCUSDT", "ETHUSDT"]) |
| 93 | timeframes: List of bar timeframes (default: ["15m", "1h", "4h"]) |
| 94 | days: Days of historical data to fetch (default: 1095 = 3 years) |
| 95 | is_ratio: In-sample ratio for IS/OOS split (default: 0.67) |
| 96 | output_dir: Directory for output files |
Remediation
Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.
Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).
Evidence
| 238 | ```python |
| 239 | # Today's reflection |
| 240 | resp = requests.post("http://localhost:8000/reflect/run_daily") |
| 241 | print(resp.json()["summary"]) |
| 242 | |
| 243 | # Specific date |
Remediation
Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.
Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).
Evidence
| 203 | **Example (Python):** |
| 204 | |
| 205 | ```python |
| 206 | resp = requests.get("http://localhost:8000/trade/get_active") |
| 207 | active = resp.json()["trades"] |
| 208 | print(f"{len(active)} open positions") |
| 209 | ``` |
Remediation
Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.
Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).
Evidence
| 10 | url.searchParams.set(key, value); |
| 11 | } |
| 12 | } |
| 13 | const res = await fetch(url.toString()); |
| 14 | if (!res.ok) { |
| 15 | throw new Error(`API error ${res.status}: ${res.statusText}`); |
| 16 | } |
Remediation
Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.
Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).
Evidence
| 791 | Args: |
| 792 | symbol: Trading pair (e.g. "BTCUSDT", "ETHUSDT") |
| 793 | timeframe: Bar timeframe โ "5m", "15m", "1h", "4h", "1d" |
| 794 | days: Number of days of history to fetch (default 90) |
| 795 | """ |
| 796 | from .evolution.mcp_tools import fetch_market_data |
Remediation
Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.
Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).
Evidence
| 242 | print(resp.json()["summary"]) |
| 243 | |
| 244 | # Specific date |
| 245 | resp = requests.post("http://localhost:8000/reflect/run_daily?date=2026-02-22") |
| 246 | ``` |
| 247 | |
| 248 | --- |
Remediation
Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.
Dockerfile never sets a non-root `USER` directive, so the CMD runs as root by default. Any RCE or library-level vulnerability exploited inside this container gets full privileges (MCP Top-10 R3). Add `USER <non-root>` before CMD / ENTRYPOINT in the final stage โ e.g. `USER 1000`, `USER nobody`, or `USER nonroot` on distroless.
Evidence
| 1 | FROM python:3.11-slim |
| 2 | |
| 3 | WORKDIR /app |
| 4 | |
| 5 | COPY pyproject.toml README.md LICENSE ./ |
| 6 | COPY src/ ./src/ |
| 7 | |
| 8 | RUN pip install --no-cache-dir . |
| 9 | |
| 10 | ENTRYPOINT ["tradememory-protocol"] |
Remediation
Create and switch to a non-root user before the CMD / ENTRYPOINT: RUN adduser --system --uid 1000 app USER 1000 Or reuse the base image's shipped non-root account (e.g. `USER nobody`, `USER nonroot` on distroless). Multi-stage builds only need the USER directive in the final stage.
GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable โ a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.
Evidence
| 16 | - uses: actions/checkout@v4 |
| 17 | |
| 18 | - name: Set up Python |
| 19 | uses: actions/setup-python@v5 |
| 20 | with: |
| 21 | python-version: "3.12" |
Remediation
Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version โ Dependabot can do this automatically with `version-update-strategy: inc
GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable โ a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.
Evidence
| 17 | - uses: actions/checkout@v4 |
| 18 | |
| 19 | - name: Set up Python ${{ matrix.python-version }} |
| 20 | uses: actions/setup-python@v5 |
| 21 | with: |
| 22 | python-version: ${{ matrix.python-version }} |
Remediation
Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version โ Dependabot can do this automatically with `version-update-strategy: inc
GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable โ a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.
Evidence
| 13 | environment: pypi |
| 14 | |
| 15 | steps: |
| 16 | - uses: actions/checkout@v4 |
| 17 | |
| 18 | - name: Set up Python |
| 19 | uses: actions/setup-python@v5 |
Remediation
Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version โ Dependabot can do this automatically with `version-update-strategy: inc
GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable โ a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.
Evidence
| 14 | python-version: ["3.10", "3.11", "3.12"] |
| 15 | |
| 16 | steps: |
| 17 | - uses: actions/checkout@v4 |
| 18 | |
| 19 | - name: Set up Python ${{ matrix.python-version }} |
| 20 | uses: actions/setup-python@v5 |
Remediation
Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version โ Dependabot can do this automatically with `version-update-strategy: inc
GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable โ a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.
Evidence
| 17 | - uses: actions/checkout@v4 |
| 18 | |
| 19 | - name: Set up Python 3.12 |
| 20 | uses: actions/setup-python@v5 |
| 21 | with: |
| 22 | python-version: '3.12' |
| 23 | cache: 'pip' |
Remediation
Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version โ Dependabot can do this automatically with `version-update-strategy: inc
GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable โ a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.
Evidence
| 27 | run: python -m build |
| 28 | |
| 29 | - name: Publish to PyPI |
| 30 | uses: pypa/gh-action-pypi-publish@release/v1 |
Remediation
Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version โ Dependabot can do this automatically with `version-update-strategy: inc
GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable โ a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.
Evidence
| 14 | timeout-minutes: 5 |
| 15 | |
| 16 | steps: |
| 17 | - uses: actions/checkout@v4 |
| 18 | |
| 19 | - name: Set up Python 3.12 |
| 20 | uses: actions/setup-python@v5 |
Remediation
Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version โ Dependabot can do this automatically with `version-update-strategy: inc
GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable โ a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.
Evidence
| 36 | - name: Notify on failure |
| 37 | if: failure() |
| 38 | uses: actions/github-script@v7 |
| 39 | with: |
| 40 | script: | |
| 41 | core.error('Live executor failed. Check the workflow run for details.') |
Remediation
Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version โ Dependabot can do this automatically with `version-update-strategy: inc
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 26 | last = {} |
| 27 | if last_line: |
| 28 | try: |
| 29 | last = json.loads(last_line) |
| 30 | except Exception: |
| 31 | pass |
| 32 | |
| 33 | # Trade count from DB |
| 34 | trades = 0 |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 50 | "timestamp": datetime.now(timezone.utc).isoformat(), |
| 51 | }] |
| 52 | } |
| 53 | requests.post(DISCORD_WEBHOOK_URL, json=payload, timeout=5) |
| 54 | except Exception: |
| 55 | pass |
| 56 | |
| 57 | |
| 58 | def recall_similar(symbol: str, strategy: str, session: str) -> List[Dict]: |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 51 | cp = {} |
| 52 | if CHECKPOINT.exists(): |
| 53 | try: |
| 54 | cp = json.loads(CHECKPOINT.read_text()) |
| 55 | except Exception: |
| 56 | pass |
| 57 | |
| 58 | return decisions, last, trades, total_pnl, wins, cp |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 173 | if procs: |
| 174 | kelly = procs[0].get("kelly_fraction_suggested") |
| 175 | if kelly and kelly > 0: |
| 176 | lot = min(lot, kelly) |
| 177 | except Exception: |
| 178 | pass # No procedural memory yet โ use DQS-adjusted lot |
| 179 | |
| 180 | if lot <= 0: |
| 181 | self.skipped_signals += 1 |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 388 | "timestamp": datetime.now(timezone.utc).isoformat(), |
| 389 | }] |
| 390 | } |
| 391 | requests.post(DISCORD_WEBHOOK_URL, json=payload, timeout=5) |
| 392 | except Exception: |
| 393 | pass |
| 394 | |
| 395 | |
| 396 | # --------------------------------------------------------------------------- |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 588 | log.warning(f"{consecutive_errors} consecutive errors, attempting MT5 reconnect...") |
| 589 | try: |
| 590 | import MetaTrader5 as MT5 |
| 591 | MT5.shutdown() |
| 592 | except Exception: |
| 593 | pass |
| 594 | if init_mt5(): |
| 595 | log.info("MT5 reconnected successfully.") |
| 596 | consecutive_errors = 0 |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 949 | "avg_conf": avg_conf, |
| 950 | "avg_aff": avg_aff, |
| 951 | "negative_ratio": negative_ratio, |
| 952 | }) |
| 953 | except Exception: |
| 954 | pass # PG unavailable โ silently skip, recall still works |
| 955 | |
| 956 | return response |
| 957 | except Exception as e: |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 128 | proposed_lot_size=agent.fixed_lot, |
| 129 | context_regime=None, |
| 130 | ) |
| 131 | is_dqs_scores.append(dqs.score) |
| 132 | except Exception: |
| 133 | pass |
| 134 | |
| 135 | # Step 3: Set adaptive thresholds from IS distribution |
| 136 | if is_dqs_scores: |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 1027 | beliefs = [ |
| 1028 | f"{b.get('proposition', '')} (conf={b.get('confidence', 0):.2f})" |
| 1029 | for b in sem |
| 1030 | ] |
| 1031 | except Exception: |
| 1032 | pass |
| 1033 | |
| 1034 | from .domain.tdr import MemoryContext |
| 1035 | mem = MemoryContext( |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 822 | try: |
| 823 | conn.execute( |
| 824 | "ALTER TABLE episodic_memory ADD COLUMN embedding TEXT" |
| 825 | ) |
| 826 | except Exception: |
| 827 | pass # Column already exists |
| 828 | |
| 829 | embedding_json = json.dumps(embedding) |
| 830 | result = conn.execute( |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 1301 | beliefs = [ |
| 1302 | f"{b.get('proposition', '')} (conf={b.get('confidence', 0):.2f})" |
| 1303 | for b in sem |
| 1304 | ] |
| 1305 | except Exception: |
| 1306 | pass |
| 1307 | |
| 1308 | mem = MemoryContext( |
| 1309 | similar_trades=refs, |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 790 | """Shutdown + re-init MT5.""" |
| 791 | try: |
| 792 | import MetaTrader5 as MT5 |
| 793 | MT5.shutdown() |
| 794 | except Exception: |
| 795 | pass |
| 796 | return self.init_mt5() |
| 797 | |
| 798 | # --- Open positions โ SQLite --- |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 39 | "timestamp": datetime.now(timezone.utc).isoformat(), |
| 40 | }] |
| 41 | } |
| 42 | requests.post(DISCORD_WEBHOOK_URL, json=payload, timeout=5) |
| 43 | except Exception: |
| 44 | pass # Never fail the script for a notification issue |
| 45 | |
| 46 | |
| 47 | def generate_daily_reflection(target_date: date = None) -> str: |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 556 | m = _SL_COMMENT_RE.search(comment) |
| 557 | if m: |
| 558 | try: |
| 559 | return float(m.group(1)) |
| 560 | except ValueError: |
| 561 | pass |
| 562 | return None |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 156 | # Clean up |
| 157 | try: |
| 158 | os.unlink(db_path) |
| 159 | os.rmdir(tmp) |
| 160 | except OSError: |
| 161 | pass |
| 162 | |
| 163 | return sections |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 251 | # Clean up partial file |
| 252 | try: |
| 253 | if os.path.exists(partial_path): |
| 254 | os.remove(partial_path) |
| 255 | except Exception: |
| 256 | pass |
| 257 | |
| 258 | return { |
| 259 | "total_experiments": len(all_results), |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 236 | # Partial save after each experiment |
| 237 | try: |
| 238 | with open(partial_path, "w") as f: |
| 239 | json.dump(all_results, f, indent=2, default=str) |
| 240 | except Exception: |
| 241 | pass |
| 242 | |
| 243 | # Generate final report |
| 244 | report_obj = FullExperimentReport(results=all_results) |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 501 | log.warning("MT5 health check failed, attempting reconnect...") |
| 502 | try: |
| 503 | import MetaTrader5 as MT5 |
| 504 | MT5.shutdown() |
| 505 | except Exception: |
| 506 | pass |
| 507 | if init_mt5(): |
| 508 | log.info("MT5 reconnected after health check failure.") |
| 509 | else: |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 716 | expiry_dt = expiry_dt.replace(tzinfo=timezone.utc) |
| 717 | if now > expiry_dt: |
| 718 | db.update_prospective_status(plan["id"], "expired") |
| 719 | continue |
| 720 | except (ValueError, TypeError): |
| 721 | pass |
| 722 | |
| 723 | # Check trigger_condition against context |
| 724 | trigger_cond = plan.get("trigger_condition", {}) |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 40 | # Try raw JSON first |
| 41 | try: |
| 42 | return json.loads(text) |
| 43 | except json.JSONDecodeError: |
| 44 | pass |
| 45 | |
| 46 | # Try extracting from markdown code block |
| 47 | if "```" in text: |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 301 | proposed_lot_size=agent.fixed_lot, |
| 302 | context_regime=None, |
| 303 | ) |
| 304 | is_dqs_scores.append(dqs.score) |
| 305 | except Exception: |
| 306 | pass |
| 307 | |
| 308 | if is_dqs_scores: |
| 309 | agent.dqs_engine.set_adaptive_thresholds(is_dqs_scores) |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 43 | "FROM episodic_memory" |
| 44 | ).fetchone() |
| 45 | trades, total_pnl, wins = row[0], row[1], row[2] or 0 |
| 46 | conn.close() |
| 47 | except Exception: |
| 48 | pass |
| 49 | |
| 50 | # Checkpoint |
| 51 | cp = {} |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 49 | "timestamp": datetime.now(timezone.utc).isoformat(), |
| 50 | }] |
| 51 | } |
| 52 | requests.post(DISCORD_WEBHOOK_URL, json=payload, timeout=5) |
| 53 | except Exception: |
| 54 | pass # Never block sync for a notification failure |
| 55 | |
| 56 | # Setup logging to both file and console |
| 57 | os.makedirs("logs", exist_ok=True) |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 94 | try: |
| 95 | resp = requests.get(f"{TRADEMEMORY_API}/owm/state", timeout=10) |
| 96 | if resp.status_code == 200: |
| 97 | return resp.json() |
| 98 | except Exception: |
| 99 | pass |
| 100 | return None |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 83 | try: |
| 84 | resp = requests.get(f"{TRADEMEMORY_API}/owm/behavioral", timeout=10) |
| 85 | if resp.status_code == 200: |
| 86 | return resp.json() |
| 87 | except Exception: |
| 88 | pass |
| 89 | return None |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 421 | if procs: |
| 422 | kelly = procs[0].get("kelly_fraction_suggested") |
| 423 | if kelly and kelly > 0: |
| 424 | lot = min(lot, kelly) |
| 425 | except Exception: |
| 426 | pass |
| 427 | |
| 428 | if lot <= 0: |
| 429 | self.skipped_signals += 1 |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 675 | "timestamp": _now_iso(), |
| 676 | }] |
| 677 | } |
| 678 | requests.post(DISCORD_WEBHOOK_URL, json=payload, timeout=5) |
| 679 | except Exception: |
| 680 | pass |
| 681 | |
| 682 | |
| 683 | # --------------------------------------------------------------------------- |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 96 | ts = float(value) |
| 97 | if ts > 1e12: |
| 98 | ts /= 1000 # milliseconds |
| 99 | return datetime.fromtimestamp(ts, tz=timezone.utc) |
| 100 | except (ValueError, OSError): |
| 101 | pass |
| 102 | return None |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 54 | ctx = json.loads(market_context) |
| 55 | s = ctx.get("session", "").lower() |
| 56 | if s in ("asia", "london", "ny", "newyork", "new_york"): |
| 57 | return {"newyork": "NY", "new_york": "NY"}.get(s, s.capitalize()) |
| 58 | except (json.JSONDecodeError, AttributeError): |
| 59 | pass |
| 60 | # Fallback: infer from UTC hour |
| 61 | try: |
| 62 | dt = datetime.fromisoformat(ts_str.replace("Z", "+00:00")) |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 72 | data = resp.json() |
| 73 | memories = data.get("memories", []) |
| 74 | # Double-check: only keep same strategy (in case API doesn't filter) |
| 75 | return [m for m in memories if m.get("strategy") == strategy] |
| 76 | except Exception: |
| 77 | pass |
| 78 | return [] |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 591 | import MetaTrader5 as MT5 |
| 592 | info = MT5.symbol_info(symbol) |
| 593 | if info and info.trade_contract_size > 0: |
| 594 | return info.trade_contract_size |
| 595 | except Exception: |
| 596 | pass |
| 597 | return _CONTRACT_SIZES.get(symbol, 100000) |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 226 | dt = datetime.fromisoformat(t["timestamp"].replace("Z", "+00:00")) |
| 227 | dow = dt.weekday() |
| 228 | if dow < 5: |
| 229 | session_day[(sess, day_names[dow])].append(t["pnl"]) |
| 230 | except Exception: |
| 231 | pass |
| 232 | |
| 233 | heatmap = [] |
| 234 | for (sess, day), pnls in sorted(session_day.items()): |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 51 | if sys.platform == "win32": |
| 52 | try: |
| 53 | sys.stdout.reconfigure(encoding="utf-8") |
| 54 | except Exception: |
| 55 | pass |
| 56 | |
| 57 | # --------------------------------------------------------------------------- |
| 58 | # Config (.env) |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 181 | content = filepath.read_text(encoding='utf-8') |
| 182 | # Extract date from filename: reflection_weekly_2026-02-23.txt |
| 183 | date_str = filepath.stem.replace("reflection_weekly_", "") |
| 184 | reflections.append({'date': date_str, 'content': content}) |
| 185 | except Exception: |
| 186 | pass |
| 187 | |
| 188 | return reflections[:weeks] |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 1114 | expiry_dt = expiry_dt.replace(tzinfo=timezone.utc) |
| 1115 | if now > expiry_dt: |
| 1116 | db.update_prospective_status(plan["id"], "expired") |
| 1117 | continue |
| 1118 | except (ValueError, TypeError): |
| 1119 | pass |
| 1120 | |
| 1121 | trigger_cond = plan.get("trigger_condition", {}) |
| 1122 | if isinstance(trigger_cond, str): |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 199 | content = filepath.read_text(encoding='utf-8') |
| 200 | # Extract month from filename: reflection_monthly_2026-02.txt |
| 201 | month_str = filepath.stem.replace("reflection_monthly_", "") |
| 202 | reflections.append({'month': month_str, 'content': content}) |
| 203 | except Exception: |
| 204 | pass |
| 205 | |
| 206 | return reflections[:months] |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 28 | # Reconfigure stdout for Windows UTF-8 |
| 29 | if sys.platform == "win32": |
| 30 | try: |
| 31 | sys.stdout.reconfigure(encoding="utf-8") |
| 32 | except Exception: |
| 33 | pass |
| 34 | |
| 35 | # --------------------------------------------------------------------------- |
| 36 | # Setup paths โ ensure tradememory package is importable |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 398 | if dqs.tier == "skip": |
| 399 | self.skipped_signals += 1 |
| 400 | return None |
| 401 | lot *= dqs.position_multiplier |
| 402 | except Exception: |
| 403 | pass |
| 404 | else: |
| 405 | self._last_dqs_score = 10.0 |
| 406 | self._last_dqs_tier = "go" |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 828 | # Cleanup partial |
| 829 | if os.path.exists(partial_path): |
| 830 | try: |
| 831 | os.remove(partial_path) |
| 832 | except Exception: |
| 833 | pass |
| 834 | |
| 835 | print(f"\nResults: {output_base}.json") |
| 836 | print(f"Report: {output_base}.md") |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 617 | save_state(last_synced_ticket) |
| 618 | try: |
| 619 | import MetaTrader5 as MT5 |
| 620 | MT5.shutdown() |
| 621 | except Exception: |
| 622 | pass |
| 623 | log.info(f"Final state saved: last_ticket={last_synced_ticket}. Goodbye!") |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 435 | metrics = {} |
| 436 | if p.get("metrics"): |
| 437 | try: |
| 438 | metrics = json.loads(p["metrics"]) |
| 439 | except (json.JSONDecodeError, TypeError): |
| 440 | pass |
| 441 | |
| 442 | conf = p.get("confidence", 0.5) |
| 443 | # Derive alpha/beta from confidence and sample_size |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 117 | try: |
| 118 | float(parts[1].strip()) |
| 119 | _parse_date(parts[0].strip()) |
| 120 | is_data = True |
| 121 | except (ValueError, IndexError): |
| 122 | pass |
| 123 | if not is_data: |
| 124 | try: |
| 125 | float(parts[0]) |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 858 | """Save partial results to disk.""" |
| 859 | try: |
| 860 | with open(path, "w") as f: |
| 861 | json.dump(results, f, indent=2, default=str) |
| 862 | except Exception: |
| 863 | pass |
| 864 | |
| 865 | |
| 866 | if __name__ == "__main__": |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 512 | try: |
| 513 | dt = datetime.fromisoformat(t["timestamp"].replace("Z", "+00:00")) |
| 514 | week_start = dt - timedelta(days=dt.weekday()) |
| 515 | weekly[week_start.strftime("%Y-%m-%d")].append(t) |
| 516 | except Exception: |
| 517 | pass |
| 518 | |
| 519 | grades = ["A", "A", "B", "B", "B", "C"] |
| 520 | result = [] |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 155 | conn.execute("DELETE FROM trade_records WHERE id = ?", (test_id,)) |
| 156 | conn.commit() |
| 157 | finally: |
| 158 | conn.close() |
| 159 | except Exception: |
| 160 | pass |
| 161 | elapsed = (time.monotonic() - start) * 1000 |
| 162 | return CheckResult( |
| 163 | name="Write/Read/Delete cycle", |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 963 | beliefs = [ |
| 964 | f"{b.get('proposition', '')} (conf={b.get('confidence', 0):.2f})" |
| 965 | for b in sem |
| 966 | ] |
| 967 | except Exception: |
| 968 | pass |
| 969 | |
| 970 | mem = MemoryContext( |
| 971 | similar_trades=refs, |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 68 | # Reconfigure stdout for Windows UTF-8 |
| 69 | if sys.platform == "win32": |
| 70 | try: |
| 71 | sys.stdout.reconfigure(encoding="utf-8") |
| 72 | except Exception: |
| 73 | pass |
| 74 | |
| 75 | # Load environment variables |
| 76 | load_dotenv() |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 123 | if not is_data: |
| 124 | try: |
| 125 | float(parts[0]) |
| 126 | is_data = True |
| 127 | except ValueError: |
| 128 | pass |
| 129 | has_header = not is_data |
| 130 | |
| 131 | start = 1 if has_header else 0 |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.
Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.
Evidence
| 525 | log.error(f"MT5 API timed out ({consecutive_errors}), forcing reconnect") |
| 526 | try: |
| 527 | import MetaTrader5 as MT5 |
| 528 | MT5.shutdown() |
| 529 | except Exception: |
| 530 | pass |
| 531 | init_mt5() |
| 532 | raise TimeoutError("MT5 API call timed out") |
Remediation
Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.