46
Total
3
Critical
30
High
13
Medium
Findings
unknownEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
7: import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
8: // Check for API key
>>> 9: const CODACY_ACCOUNT_TOKEN = process.env.CODACY_ACCOUNT_TOKEN;
10: OpenAPI.BASE = 'https://app.codacy.com/api/v3';
11: OpenAPI.HEADERS = {Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
7: _cliCommand = '';
8: _accountToken = process.env.CODACY_ACCOUNT_TOKEN;
>>> 9: _cliVersion = process.env.CODACY_CLI_VERSION;
10: rootPath;
11: provider;Report false positiveEnvironment file access
Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.
6: export class CodacyCli {
7: _cliCommand = '';
>>> 8: _accountToken = process.env.CODACY_ACCOUNT_TOKEN;
9: _cliVersion = process.env.CODACY_CLI_VERSION;
10: rootPath;Report false positiveDynamic code execution via exec()
Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.
6: async function execWindowsCmdAsync(command) {
7: return new Promise((resolve, reject) => {
>>> 8: exec(command, {
9: encoding: 'buffer',
10: }, (error, stdout, stderr) => {Report false positiveDecoded base64 content: ��E�W���ްv�vW�
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: ��Qz�,��+�������-N�%
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: �+-:��,ڶ*'�v�vW�
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: J�b�'���ӭ�즊�
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: j�e�ƭ������龎�'
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveNode.js child process spawning
Detected by automated pattern matching (rule SC-005) with medium confidence. May be a false positive.
1: export const CODACY_FOLDER_NAME = '.codacy';
>>> 2: import { exec } from 'child_process';
3: import * as path from 'path';
4: // Set a larger buffer size (10MB)Report false positiveDynamic code execution via exec()
Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.
45: return true;
46: }
>>> 47: preparePathForExec(path) {
48: // Validate path security before escaping
49: if (!this.isPathSafe(path)) {Report false positiveDynamic code execution via exec()
Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.
69: const cmd = `${command} ${argsString}`.trim();
70: return new Promise((resolve, reject) => {
>>> 71: exec(cmd, {
72: cwd: this.rootPath,
73: maxBuffer: MAX_BUFFER_SIZE, // To solve: stdout maxBuffer exceededReport false positiveDynamic code execution via exec()
Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.
36: const codacyCliPath = path.join(CODACY_FOLDER_NAME, 'cli.sh');
37: if (!fs.existsSync(codacyCliPath)) {
>>> 38: const execPath = this.preparePathForExec(codacyCliPath);
39: await this.execAsync(`curl -Ls -o "${execPath}" https://raw.githubusercontent.com/codacy/codacy-cli-v2/main/codacy-cli.sh`);
40: await this.execAsync(`chmod +x "${execPath}"`);Report false positiveDynamic code execution via exec()
Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.
113: const { file, tool } = options;
114: try {
>>> 115: const { stdout } = await this.execAsync(`${this.getCliCommand()} analyze ${file ? this.preparePathForExec(file) : ''} --format sarif`, tool ? { tool: tool } : {});
116: const jsonMatch = /(\{[\s\S]*\}|\[[\s\S]*\])/.exec(stdout);
117: return jsonMatch ? JSON.parse(jsonMatch[0]) : null;Report false positiveDynamic code execution via exec()
Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.
114: try {
115: const { stdout } = await this.execAsync(`${this.getCliCommand()} analyze ${file ? this.preparePathForExec(file) : ''} --format sarif`, tool ? { tool: tool } : {});
>>> 116: const jsonMatch = /(\{[\s\S]*\}|\[[\s\S]*\])/.exec(stdout);
117: return jsonMatch ? JSON.parse(jsonMatch[0]) : null;
118: }Report false positiveDynamic code execution via exec()
Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.
25: return windowsPath;
26: }
>>> 27: preparePathForExec(path) {
28: // Convert WSL path to Windows format for validation
29: const winFilePath = path.startsWith('/mnt/') ? WinWSLCodacyCli.fromWSLPath(path) : path;Report false positiveNode.js child process spawning
Detected by automated pattern matching (rule SC-005) with medium confidence. May be a false positive.
3: import { WinWSLCodacyCli } from './WinWSLCodacyCli.js';
4: import { WinCodacyCli } from './WinCodacyCli.js';
>>> 5: import { exec } from 'child_process';
6: async function execWindowsCmdAsync(command) {
7: return new Promise((resolve, reject) => {Report false positiveDecoded base64 content: r����#y�m�`{�i���o]}u�^�m5�����t���=
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: r���ܡ֜��(u�2
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: ��?{^�Ȩ��(u�2
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: r�^���)ݲ���g)
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: u����b��-�g)�)쵩e
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: u����b��-�g)�)쵩e
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: ������� i�'�*'
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: �K�������jg�
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: J�b�'���ӭ�즊�
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: �+-:��,ڶ*'E�h�+h�'�N�%
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: ��r^��"���I�.�+r"צ�v�vW�
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: ��E�W��˞�v�vW�
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: ��Qz�,��+�������-)^�*/z��xv�vW�
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: ��O�YQz���Ѣ�8�|v�vW�
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: �+->�eE�z�H�˞�v�vW�
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveDecoded base64 content: ��Qz�,��+�h�� ڗ+"�v�vW�
Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (5.3 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (4.5 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveJavaScript fetch() call
Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.
184: }
185: onCancel(() => controller.abort());
>>> 186: return await fetch(url, request);
187: };
188: export const getResponseHeader = (response, responseHeader) => {Report false positiveHigh-entropy string (4.7 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (4.7 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (4.8 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positivePossible Base64-encoded payload (long encoded string)
Detected by automated pattern matching (rule OB-001) with medium confidence. May be a false positive.
135: You can use the one-click install for Cursor:
136:
>>> 137: [](https://cursor.com/install-mcp?name=codacy&config=eyJjb21tYW5kIjoibnB4IC15IEBjb2RhY3kvY29kYWN5LW1jcEBsYXRlc3QiLCJlbnYiOnsiQ09EQUNZX0FDQ09VTlRfVE9LRU4iOiI8WW91ciBwZXJzb25hbCB0b2tlbj4ifX0%3D)
138:
139: Otherwise, depending on what you are connecting the MCP Server to, you can use the following methods:Report false positiveHigh-entropy string (4.5 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positivePossible Base64-encoded payload (long encoded string)
Detected by automated pattern matching (rule OB-001) with medium confidence. May be a false positive.
1: # Codacy MCP Server
>>> 2: [](https://app.codacy.com/gh/codacy/codacy-mcp-server/dashboard?utm_source=gh&utm_medium=referral&utm_content=&utm_campaign=Badge_grade)
3:
4: Report false positiveHigh-entropy string (4.5 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (5.5 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (4.6 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positiveHigh-entropy string (4.8 bits/char) — possible encoded payload
Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.
Report false positive