Thanks for helping keep ansede-static safe and trustworthy.
| Version | Supported |
|---|---|
| 5.5.x (latest) | ✅ Active |
| 5.1.x | ✅ Security fixes |
| 5.0.x | ✅ Security fixes |
| 4.x | ❌ No longer supported |
| < 4.0 | ❌ No longer supported |
If you discover a security vulnerability in ansede-static, please do not open a public issue.
Instead, use GitHub private vulnerability reporting:
When reporting, please include:
- Version:
ansede-static --version - Steps to reproduce
- Impact assessment (if known)
- Scanner engine, CLI, analysis rules
- Supply chain issues in PyPI packages
- License server authentication bypass
- Example/test code under
samples/orcampaign/ - Issues requiring physical machine access
- Social engineering
We aim to acknowledge reports within 48 hours and provide a fix within 7 days for critical issues.
https://github.com/mattybellx/Ansede/security/advisories
- Private security vulnerabilities: GitHub Security Advisories (link above)
- Non-sensitive bugs / false positives / false negatives: GitHub Issues
- General questions: GitHub Discussions
Include as much of the following as possible:
- Affected version(s)
- Reproduction steps / minimal sample
- Security impact (confidentiality / integrity / availability)
- Potential CWE mapping (if known)
- Any proposed mitigation or patch direction
ansede-static is a static analysis tool — it reads source code but never executes it. Security concerns include:
- False negatives — missing a real vulnerability in scanned code
- ReDoS — a crafted input causing the regex engine to hang
- Path traversal — if directory scanning follows symlinks outside the intended scope
We follow coordinated disclosure. If you report a vulnerability, we will:
- Confirm receipt and begin investigation
- Develop and test a fix
- Release a patched version
- Credit you in the release notes (unless you prefer anonymity)
Please avoid posting exploit details publicly until a fix is available.