github · cve-mcp-servera78d7200931b

Evidence

"""Parse Maven pom.xml <dependency> blocks."""

    results: list[dict] = []

    try:

        root = ET.fromstring(text)

    except ET.ParseError:

        return results

Remediation

Use defusedxml in Python (drop-in replacement for stdlib XML modules). In Java, set XMLConstants.FEATURE_SECURE_PROCESSING=true and disable external-DTD features on the factory before parsing.

Evidence

class URLScanResult(BaseModel):

    model_config = ConfigDict(extra="ignore")

    url: str

    domain: str = ""

    malicious: bool = False

    score: int = 0

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

# ── Threat Intelligence API Keys ────────────────────────────────────────────

ABUSEIPDB_KEY: str = os.getenv("ABUSEIPDB_KEY", "")

VIRUSTOTAL_KEY: str = os.getenv("VIRUSTOTAL_KEY", "")

URLSCAN_KEY: str = os.getenv("URLSCAN_KEY", "")

SHODAN_KEY: str = os.getenv("SHODAN_KEY", "")

GREYNOISE_API_KEY: str = os.getenv("GREYNOISE_API_KEY", "")

CIRCL_PDNS_USER: str = os.getenv("CIRCL_PDNS_USER", "")

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

SHODAN_BASE: str = "https://api.shodan.io"

MALWAREBAZAAR_BASE: str = "https://mb-api.abuse.ch/api/v1"

VIRUSTOTAL_BASE: str = "https://www.virustotal.com/api/v3"

URLSCAN_BASE: str = "https://urlscan.io/api/v1"

CRTSH_BASE: str = "https://crt.sh"

CIRCL_PDNS_BASE: str = "https://www.circl.lu/pdns/query"

MSRC_BASE: str = "https://api.msrc.microsoft.com/cvrf/v2.0"

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

queries: security-and-quality

      - name: Autobuild

        uses: github/codeql-action/autobuild@v3

      - name: Perform CodeQL Analysis

        uses: github/codeql-action/analyze@v3

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

- uses: actions/checkout@v4

      - name: Set up Python 3.12

        uses: actions/setup-python@v5

        with:

          python-version: "3.12"

          cache: "pip"

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

contents: write

    steps:

      - uses: actions/checkout@v4

        with:

          fetch-depth: 0

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

security-events: write

    steps:

      - uses: actions/checkout@v4

      - name: Initialize CodeQL

        uses: github/codeql-action/init@v3

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@v4

      - name: Set up Python 3.12

        uses: actions/setup-python@v5

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

os: [ubuntu-latest, windows-latest, macos-latest]

    steps:

      - uses: actions/checkout@v4

      - name: Set up Python ${{ matrix.python-version }}

        uses: actions/setup-python@v5

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

fetch-depth: 0

      - name: Create GitHub Release

        uses: softprops/action-gh-release@v2

        with:

          generate_release_notes: true

          draft: false

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

- uses: actions/checkout@v4

      - name: Initialize CodeQL

        uses: github/codeql-action/init@v3

        with:

          languages: python

          queries: security-and-quality

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

uses: github/codeql-action/autobuild@v3

      - name: Perform CodeQL Analysis

        uses: github/codeql-action/analyze@v3

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

python -m pytest tests/ -v -m "not online" --cov=src/cve_mcp --cov-report=xml

      - name: Upload coverage to Codecov

        uses: codecov/codecov-action@v4

        with:

          file: ./coverage.xml

          fail_ci_if_error: false

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

runs-on: ubuntu-latest

    steps:

      - uses: actions/checkout@v4

      - name: Set up Python 3.12

        uses: actions/setup-python@v5

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

- uses: actions/checkout@v4

      - name: Set up Python 3.12

        uses: actions/setup-python@v5

        with:

          python-version: "3.12"

          cache: "pip"

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

- uses: actions/checkout@v4

      - name: Set up Python ${{ matrix.python-version }}

        uses: actions/setup-python@v5

        with:

          python-version: ${{ matrix.python-version }}

          cache: "pip"

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

row = await cur.fetchone()

            if row and row[0] > 1000:

                await self._db.execute("VACUUM")

                await self._db.commit()

        except Exception:

            pass  # VACUUM is optional

    async def get(self, key: str) -> dict | list | None:

        if self._db is None:

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

records = []

            for line in resp.text.strip().split("\n")[:30]:

                try:

                    records.append(json.loads(line))

                except Exception:

                    pass

            await cache.set(cache_key, records, TTL_DOMAIN)

            return records

    except Exception as exc:

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

continue

        # Try ISO format with timezone info

        try:

            return datetime.fromisoformat(raw.replace("Z", "+00:00"))

        except (ValueError, AttributeError):

            pass

    return None

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

try:

            parsed = json.loads(text)

            if any(k in parsed for k in ("dependencies", "devDependencies", "peerDependencies")):

                return _parse_package_json(text)

        except (json.JSONDecodeError, ValueError):

            pass

    # Detect pom.xml (XML with <project or <dependency)

    if text.lstrip().startswith("<?xml") or "<project" in text[:500]:

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

records = []

                for line in lines[:20]:

                    try:

                        records.append(json.loads(line))

                    except Exception:

                        pass

                result["pdns_records"] = records

        except Exception as exc:

            logger.warning("CIRCL PDNS error for %s: %s", domain, exc)

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.